{ "id": "00055d75-c4ca-5c5b-8eb0-cf1ae8fbeae4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820302Z", "creation_date": "2026-03-23T11:45:30.820304Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820309Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0ffa2791abaa004489427b2c187b64db87b49aaa0ffb2e576f0c982dbe62c62a", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "000a28de-7145-5411-8498-d995fafff2e1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.603951Z", "creation_date": "2026-03-23T11:45:29.603954Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.603965Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f4222e186d23160c29fe2bdf163d29561139eae8484d081457e7278872d7e9e2", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0010a7ec-4038-52d2-bafd-8951fd0da80c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467985Z", "creation_date": "2026-03-23T11:45:30.467989Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467998Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "81237053f6eeaf659970e9e5e7abba00261ec2b850b1f5b195d0888f8ce66d6f", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0016849f-5781-5d69-9677-55ab9fae5c65", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462956Z", "creation_date": "2026-03-23T11:45:30.462959Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462968Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bcb774b6f6ff504d2db58096601bc5cb419c169bfbeaa3af852417e87d9b2aa0", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "001cbe83-97a2-5162-a1dc-71a584661ffd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149097Z", "creation_date": "2026-03-23T11:45:31.149100Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149108Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8c7c17c77cadbedc05bd2cb988dd3f654fd7b43899a949ec1d63d07ede6570c4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "002e82a9-97d5-50ea-987d-429045a2b609", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609736Z", "creation_date": "2026-03-23T11:45:29.609738Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609744Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ce23c2dae4cca4771ea50ec737093dfafac06c64db0f924a1ccbbf687e33f5a2", "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0031c4f5-a44b-5b66-8741-0c4516e658c1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967920Z", "creation_date": "2026-03-23T11:45:29.967922Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967927Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b348190c2991baec9cdda808187712c205dbf0f3f6178b3c68bc9b13bb0d3bfe", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "00373a0f-2ca7-5e52-aa17-4ddb36b93d42", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811681Z", "creation_date": "2026-03-23T11:45:31.811683Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811689Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e37f4c077ae36294772acc7d23084d1ef5ab5e293974b1a872a5b18fb85f873a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "003c2e1b-9e06-598e-b9fa-2cd73aef37b5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967401Z", "creation_date": "2026-03-23T11:45:29.967403Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967409Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a3e8ea5e593176f9e66c17f6a200fa665c7ef409c97f49aadf5a55ad6b0be97e", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "003c8069-8d1a-50ee-b5e8-afcaee6796a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828931Z", "creation_date": "2026-03-23T11:45:30.828933Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828938Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a4a65f4671a6fd29d5e212dfd0e87011bc969ed3d3a72ac8f0b24a20be9a8b5d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "00499fd4-be3f-5abf-ba9d-b5a26e40514d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811764Z", "creation_date": "2026-03-23T11:45:31.811766Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811772Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e9d8be1fa973114a45254ddc7d925a2ce9349fdebded42caf8dac724afd0cfc5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "004ed130-1032-5e7f-b2e6-ef0866d53b9d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152722Z", "creation_date": "2026-03-23T11:45:31.152725Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152734Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cab6ae2ea21cc943a0c0e27f25de5bed2b801ac2863d7123334634411bcb3cf6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0054d0e0-4d3e-5aed-b367-10ee3412c190", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476211Z", "creation_date": "2026-03-23T11:45:31.476214Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476225Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9142fe1834f09556508cb0af1c9258211654e08a3d64aad27a46d1cdd56c17b7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "005857e6-bff5-5551-8cb0-df874e1d802a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829096Z", "creation_date": "2026-03-23T11:45:30.829098Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829104Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b74f31ad89c969bd1e154729c3e50136a3804fb759d164ed9d3247d791122b6b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "00634432-7aa3-53f2-b194-f49bb3bf6de4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824969Z", "creation_date": "2026-03-23T11:45:31.824972Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824981Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b11d13216855f507240d4e5d56bd5f53ce38669db22a7a6d6a0b37bba99e0403", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0068f420-1cf4-599c-818a-683a69750f9a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145205Z", "creation_date": "2026-03-23T11:45:32.145207Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145213Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e7ff6a8a70471991d00525b02071eff55a2252d7f8dfb299ac2d169e811f6a84", "comment": "Malicious Kernel Driver (aka driver_981d03e1.sys) [https://www.loldrivers.io/drivers/1106fe7a-b78b-4edf-85c0-6208979f380b/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0074af71-a717-5d22-aa31-f53758720ddc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154332Z", "creation_date": "2026-03-23T11:45:31.154334Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154340Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7780bd43d0642303063ddaeca5de98b997d6302f6e6a4fd496561b13262a3b74", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "008468fd-f453-54a0-b63e-7e7c7ff7c681", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159229Z", "creation_date": "2026-03-23T11:45:31.159231Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159236Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2f43846327935f1cc29daf07730eb39f44cd3b26c770df770d2068a9a5e2aed0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0088cc75-6f09-5f46-b77e-30f2c576971e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494846Z", "creation_date": "2026-03-23T11:45:31.494848Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494855Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "322d95fbb0e6a856576a4fe58c30fb67eab8fb2ca29512972d65145cbce73016", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "00896919-433d-5110-b167-1ba05552c2a0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830040Z", "creation_date": "2026-03-23T11:45:30.830042Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830048Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d01d0e15698f945ff5a4c6db58fa66841122daad129298aa10e1d460c2b25a53", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0093ca17-b196-5fee-b016-5531682b7457", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457831Z", "creation_date": "2026-03-23T11:45:30.457835Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457844Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0cf91e8f64a7c98dbeab21597bd76723aee892ed8fa4ee44b09f9e75089308e2", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0094a78f-4b42-525b-ab15-4e66cd3fe9b1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495058Z", "creation_date": "2026-03-23T11:45:31.495060Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495066Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "825f9c3992e03dfad566039f1651228ba74195f04e4b715ff9a6dc339236a136", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "009b7d33-88a2-5c92-8026-74cfb6b2c2d1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975516Z", "creation_date": "2026-03-23T11:45:29.975518Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975524Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a67131e5e7ea45a8b53b6f924d418dfda716a00c2b12ab4d6ee5724c9f0d5549", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "00a40f0a-fd59-59ae-a047-1fd24b02af7d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980716Z", "creation_date": "2026-03-23T11:45:29.980718Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980723Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2121a2bb8ebbf2e6e82c782b6f3c6b7904f686aa495def25cf1cf52a42e16109", "comment": "Vulnerable Kernel Driver (aka CtiIo64.sys) [https://www.loldrivers.io/drivers/de365e80-45cb-48fb-af6e-0a96a5ad7777/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "00a97769-b5ce-5b5f-8719-44bbe3d869ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476420Z", "creation_date": "2026-03-23T11:45:30.476427Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476439Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3b7177e9a10c1392633c5f605600bb23c8629379f7f42957972374a05d4dc458", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "00aa84e7-b9ff-54be-8e11-7cd6003e0bb3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810236Z", "creation_date": "2026-03-23T11:45:31.810238Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810244Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff439e7007d97b7e56acfb95ba29a9c9884bf5c0242ff46d11e5cfd8ac5ecfe0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "00b98a8c-3b1d-5429-bd09-b4c326e2a065", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606723Z", "creation_date": "2026-03-23T11:45:29.606725Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606731Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cee01c69cb0c06dd0d98ff05aeb2b0a34a4aa1a71d35a3033bf9c1a35b637c55", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "00cd50bc-fafd-52ec-9d30-ea16cf31b1b1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822385Z", "creation_date": "2026-03-23T11:45:31.822388Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822396Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b458eb6aad837cb6723320ceea1883c07ada507659a4688aedb46954f3f33417", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "00d00975-c936-5c33-a724-cc64bbb5bdb4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620460Z", "creation_date": "2026-03-23T11:45:29.620462Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620468Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e81230217988f3e7ec6f89a06d231ec66039bdba340fd8ebb2bbb586506e3293", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "00e1229c-c643-5b96-9676-3995625f21e0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487291Z", "creation_date": "2026-03-23T11:45:31.487293Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487298Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "10c033adf816f4d502e5fa15c0642f0be92bb921b63f1a3190ed41267d60156f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "00ed41f8-421e-5823-8056-ca7604607c57", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613347Z", "creation_date": "2026-03-23T11:45:29.613351Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613357Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6ed35f310c96920a271c59a097b382da07856e40179c2a4239f8daa04eef38e7", "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "00f33ddc-9494-5bbd-b8cd-111fe5662e07", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475154Z", "creation_date": "2026-03-23T11:45:31.475157Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475167Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "92ab76ddfafbaaec1e358bdf558ec23ea6d029c81f80d01ddf89a9daed8d564f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "00f58f92-a180-572c-81d4-f5f9420317f0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830528Z", "creation_date": "2026-03-23T11:45:30.830530Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830536Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9e26f64ae78fe305565876b7c28b543fc086900fb41756c2c21a767d7aa3004e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "00f9d36c-45ee-59c9-982a-1e3a3612b049", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453548Z", "creation_date": "2026-03-23T11:45:30.453552Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453561Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fe425d4ea7c8d8bc2e8f32969d058f06a02ab11a0e15e465b989e526be17ca84", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0101d602-6d30-5816-a914-ae5d5464a0db", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155188Z", "creation_date": "2026-03-23T11:45:31.155190Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155196Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f93092156ac39b5ff400cc1378edd5d74a96d0ec01fa2691ad678a49916bbb20", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "01020362-84a7-5ae0-8498-32e1944fbd8d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143936Z", "creation_date": "2026-03-23T11:45:32.143938Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143944Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "765869c7c04b49e77de313806398472ec90dce45206a6d71e448d4e2e499715d", "comment": "Vulnerable Kernel Driver (aka Afd.sys) [https://www.loldrivers.io/drivers/394f49b2-2d78-4d0d-b374-1399695455f3/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0107bfa0-5fac-5b43-bd30-6fc3ef784280", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497896Z", "creation_date": "2026-03-23T11:45:31.497900Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497909Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2888b243fe734e4bd33e8bb7f92a39f005653c9bf0defca5d34ff150c6b0cb9c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "010e8b7d-18ae-5abe-a415-c39532ce008a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808704Z", "creation_date": "2026-03-23T11:45:31.808706Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808712Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "73383892b9298fe716e2aa02fdf2e7d07169fa297fba3bb6090ec47fa648dae0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "01161d5f-dfb7-5023-abd9-05f8e5b8f517", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822818Z", "creation_date": "2026-03-23T11:45:30.822820Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822825Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "39336e2ce105901ab65021d6fdc3932d3d6aab665fe4bd55aa1aa66eb0de32f0", "comment": "Vulnerable Kernel Driver (aka SBIOSIO64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "012cb417-ac19-5fc3-9236-07ed24c46b07", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823335Z", "creation_date": "2026-03-23T11:45:31.823339Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823346Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b43a6483567a78f3f1158ca875a3dbcad3edfc024d2ccaeace03fb7be6db449e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "01305fd2-188e-5e40-a33a-4d81a546af35", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619750Z", "creation_date": "2026-03-23T11:45:29.619752Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619757Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee6bfdf5748fbbf579d6176026626ef39a0673e307c2029f5633e80f0babef54", "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "01467ec8-c1bd-5919-a5ae-c16772a2fc74", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146013Z", "creation_date": "2026-03-23T11:45:31.146017Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146026Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6c661ccb40bb80b66a8e376aaf8ed638c0860a606195cb3cb5b781b69a942534", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "014b2e74-f1de-525a-a953-c0f445c7db9a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470727Z", "creation_date": "2026-03-23T11:45:30.470730Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470739Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "46aac78f7cd865d27189c8308841f12a5512e657be0dd6e8b178aac5223889fe", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0155c3ca-9d4c-5211-90ac-e0fe8711662c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488396Z", "creation_date": "2026-03-23T11:45:31.488398Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488403Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c6c906d3e5e00067ffe1b176bd94dbe8a119435039e3ac3ddfec326fc0956d77", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0157f476-c466-53d7-8670-1e244f9cdd26", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982449Z", "creation_date": "2026-03-23T11:45:29.982451Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982457Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4941c4298f4560fc1e59d0f16f84bab5c060793700b82be2fd7c63735f1657a8", "comment": "Vulnerable Kernel Driver (aka windows7-32.sys) [https://www.loldrivers.io/drivers/b45a3fdf-592a-4cd9-81e2-8fe03d554cad/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "016175ac-e9a7-57b5-a683-9e1053a9bd84", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827595Z", "creation_date": "2026-03-23T11:45:30.827597Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827603Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "54d5c4a62a2eed43d0e680587ec6f8063d1d48908b2ab4562816ffed8f52c263", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "01659f83-3662-5629-be7b-1354117d1314", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147717Z", "creation_date": "2026-03-23T11:45:31.147718Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147724Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ec85aa2349c95884af3dfbfc8bfebd40a71963f107d1176b8891fde2b614b310", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0169ef2f-fb28-5bc3-bed7-b2aabb90dd7d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616569Z", "creation_date": "2026-03-23T11:45:29.616571Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616577Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "01733296-4ba1-5d5a-b233-79903da3bdfd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464939Z", "creation_date": "2026-03-23T11:45:30.464942Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464957Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "93aa3066ae831cdf81505e1bc5035227dc0e8f06ebbbb777832a17920c6a02fe", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "017447d4-88a2-5447-aa80-d987c13d331a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621333Z", "creation_date": "2026-03-23T11:45:29.621335Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621340Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9dcfd796e244d0687cc35eac9538f209f76c6df12de166f19dbc7d2c47fb16b3", "comment": "Vulnerable Kernel Driver (aka AsIO.sys) [https://www.loldrivers.io/drivers/bd7e78db-6fd0-4694-ac38-dbf5480b60b9/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0179b98d-3214-5d53-87b6-87143663638b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479974Z", "creation_date": "2026-03-23T11:45:30.479976Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479981Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e4658d93544f69f5cb9aa6d9fec420fecc8750cb57e1e9798da38c139d44f2eb", "comment": "Vulnerable Kernel Driver (aka AsmIo64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "017c91ba-fe9d-5512-a44e-606373270abc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146099Z", "creation_date": "2026-03-23T11:45:32.146101Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146106Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8dbc28fefb8cf9377be55a7c6062988df5a24f0ff475f6dd65cf07fe5173f51d", "comment": "Vulnerable Kernel Driver (aka neofltr.sys) [https://www.loldrivers.io/drivers/c44e6197-efab-49d2-8a5f-04ae4a0f0ea0/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "01878dd6-bfc7-5836-855e-f2beabffc97b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460125Z", "creation_date": "2026-03-23T11:45:30.460128Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460136Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd2c1aa4e14c825f3715891bfa2b6264650a794f366d5f73ed1ef1d79ff0dbf9", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "018df02d-8389-5fa3-b401-d54fdda39937", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823979Z", "creation_date": "2026-03-23T11:45:31.823982Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823991Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "090e352c8943316c242e1889f0e7304819d502300a529499a1fb29124ca33646", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0198378f-55b8-5f80-965b-d73b6859e7f4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823389Z", "creation_date": "2026-03-23T11:45:31.823393Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823401Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d7831ba304ffc9cb1ff0f70a51a255d03acbb8edd801d61f0e0cb11b32da0384", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "019d4dce-e650-5223-90ad-8cea1af256a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828803Z", "creation_date": "2026-03-23T11:45:31.828805Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828810Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3728e8d692093a6111e8c0943e5f11ccff35a6395982dd065c992ac063446cf6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "01aa8931-6e43-562b-819d-3e1a96b8e116", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156002Z", "creation_date": "2026-03-23T11:45:31.156004Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156010Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f9df4b81a03df605e808e8f819fc913cb00f2076bb55d187bf97b739c151b81f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "01b18d44-e9ac-57d3-bcae-bbadb06812dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153560Z", "creation_date": "2026-03-23T11:45:31.153562Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153567Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "03172eef01698a6d6eae38c6dcd1b0a9b75f8eb312502dd3b9408b62c553c0d9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "01b3fb1e-b0ee-5c01-96a3-422380933ded", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470669Z", "creation_date": "2026-03-23T11:45:30.470672Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470681Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b5590995c6bcd39884dceda1e87e8516a3767bce00519ce140a46f1a77666ff", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "01ca129a-4d80-51e6-b27c-8cf288301005", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148757Z", "creation_date": "2026-03-23T11:45:31.148759Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148764Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d1170f7dfb5b27022f61c7e56fa74729f4c8721e1740f27f6ed3880a7fe277f0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "01d01c70-29b8-555d-b27c-309ad5221a06", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155031Z", "creation_date": "2026-03-23T11:45:31.155033Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155039Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0b80d5bc658ec972223838494373244cdbc1e295b6ae48918ce9ac354d035ba4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "01d78120-0275-533e-a3d3-ca926cc43d6f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143006Z", "creation_date": "2026-03-23T11:45:32.143008Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143013Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "39f5d351878f7216a69d0330c40e5b2793c6d4d3ee72f0673cf7555ea9dbe86a", "comment": "Vulnerable TfSysMon driver from ThreatFire System Monitor (2013) (aka TfSysMon.sys) [https://github.com/BlackSnufkin/BYOVD/tree/main/TfSysMon-Killer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "01dbefe3-b15d-5b38-8d1c-535f2fd850d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469101Z", "creation_date": "2026-03-23T11:45:30.469105Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469114Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6e3e09583b7bba35ef21419bdc711984e8541eb20a29406940727f73cbb5064a", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "01dc7e0f-5b7c-5791-b9e9-2733c16e6ddb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613478Z", "creation_date": "2026-03-23T11:45:29.613480Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613485Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b6bf2460e023b1005cc60e107b14a3cfdf9284cc378a086d92e5dcdf6e432e2c", "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "01fbb11e-4043-5052-b7c2-7563b0896683", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978860Z", "creation_date": "2026-03-23T11:45:29.978862Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978867Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "93b266f38c3c3eaab475d81597abbd7cc07943035068bb6fd670dbbe15de0131", "comment": "Vulnerable Kernel Driver (aka LgCoreTemp.sys) [https://www.loldrivers.io/drivers/2c3884d3-9e4f-4519-b18b-0969612621bc/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "02070751-a8b3-5e7f-8262-7d5d55529ecc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471133Z", "creation_date": "2026-03-23T11:45:30.471136Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471145Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c6f7acc48d15f334a757a416809eb596d291952cf730a281de4a4423e18dce76", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "020827c1-7773-5550-9c17-86004207bb8b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473310Z", "creation_date": "2026-03-23T11:45:30.473313Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473322Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0484defcf1b5afbe573472753dc2395e528608b688e5c7d1d178164e48e7bed7", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0210c95b-1775-5ff8-ade4-b5221e50bc71", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157580Z", "creation_date": "2026-03-23T11:45:31.157585Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157595Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6d0c587c704e2ca6feb8626df7817187f319e4677b393bf0b92386b2ac400e29", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "02128104-2530-560b-83b0-e6fcc4812cf3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973375Z", "creation_date": "2026-03-23T11:45:29.973377Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973382Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "57ae8d2d962cdde554831415725583fcf4ae5fc844c19983a7c37e31b12109a3", "comment": "Voicemod Sociedad Limitada vulnerable driver (aka vmdrv.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "021a40bf-7f63-5a68-8d55-86b3fe0a68e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480112Z", "creation_date": "2026-03-23T11:45:31.480116Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480126Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "936af11604944176e2ca24f03dd7383f55f2f24a228de72744f2896ac50432ff", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "021d2917-c36e-573c-aade-197dc442e200", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486042Z", "creation_date": "2026-03-23T11:45:31.486046Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486056Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f740ededb186a18cc8a6a315a796c73520e48bfbd282d48a734d37e0f2aa295", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "021fbfcf-9010-59e4-b386-b51716734a39", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834053Z", "creation_date": "2026-03-23T11:45:30.834057Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834064Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "21b21459993d49b83a44f5dfaa1817f7fada9ae1382b3156b79a10145bb9530a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0225663b-6c52-562c-8485-8dabfe50a324", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968511Z", "creation_date": "2026-03-23T11:45:29.968513Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968518Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "14adbf0bc43414a7700e5403100cff7fc6ade50bebfab16a17acf2fdda5a9da8", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "02267224-bcf4-5f48-9cc3-fa2668249be7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830341Z", "creation_date": "2026-03-23T11:45:31.830343Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830348Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6dc7053d15b5c6bf57f53531263e135fbc064237ce2ae163a3072acb89dbf9b5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "022687b1-6e32-5eb5-99a0-caeaef5ed5e1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156292Z", "creation_date": "2026-03-23T11:45:31.156293Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156299Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eb7775fe2b3c6a82fb5308238b99412e1b8e11c6a48a03f7fed8fb31f5e9b2e5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "022ed932-0fd1-5208-9fd8-629ab48b4ad3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459850Z", "creation_date": "2026-03-23T11:45:30.459853Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459861Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bbf564a02784d53b8006333406807c3539ee4a594585b1f3713325904cb730ec", "comment": "Vulnerable Kernel Driver (aka VBoxMouseNT.sys) [https://www.loldrivers.io/drivers/ecabc507-2cc7-4011-89ab-7d9d659e6f88/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0237524e-2deb-5599-a51e-38fdbafa6c0b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823123Z", "creation_date": "2026-03-23T11:45:30.823125Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823131Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c25cb17f5879e9c2fb4c91adb18e24b50a94738d5deb62a4189065bcf2c1d86b", "comment": "Vulnerable Kernel Driver (aka atlAccess.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "023a4130-a2e0-57af-9545-06a253b1cd65", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834214Z", "creation_date": "2026-03-23T11:45:30.834217Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834225Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fc9c62312b035c2b954ee633b3e6c5cc7c5cca3e8c03b3818db49f69020185b7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0244398e-db56-5e38-ab46-58c36fda2e2d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145546Z", "creation_date": "2026-03-23T11:45:32.145549Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145555Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a1f79a2e1441970bb3e7c838f8c14a8f3d39a46b0ff9648614e922ac475c743d", "comment": "Vulnerable Kernel Driver (aka ADRMDRVSYS.sys) [https://www.loldrivers.io/drivers/48aeea9b-7812-4b25-9835-baaebe7dc551/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "024bed7d-e9ba-58a8-a5ba-2e132030e4ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621686Z", "creation_date": "2026-03-23T11:45:29.621688Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621693Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "48891874441c6fa69e5518d98c53d83b723573e280c6c65ccfbde9039a6458c9", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "025c31d8-a310-58bc-9d95-e2d49f2e917e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480544Z", "creation_date": "2026-03-23T11:45:30.480546Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480551Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "37b0aaf4e3cdc9d4c475a3a08ad2ba1e28e177d7359546c9b0bba14ae73dfed0", "comment": "Vulnerable Kernel Driver (aka GtcKmdfBs.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0263d854-319f-5b8b-b575-ab9a1bc1f3f0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829341Z", "creation_date": "2026-03-23T11:45:30.829343Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829348Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a35bcff21cb4869740ebf64cb6316c28acef3fbd03e33c38f4a97c9ea442dde1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0266b22b-3019-5aab-bf3d-282d4cea4c72", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480010Z", "creation_date": "2026-03-23T11:45:30.480012Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480018Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "655110646bff890c448c0951e11132dc3592bda6e080696341b930d090224723", "comment": "Vulnerable Kernel Driver (aka gpcidrv64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0266cec8-c150-5aa8-b4d4-992fdb7759a5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483752Z", "creation_date": "2026-03-23T11:45:31.483756Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483766Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f6f3379b18b84b4bfe6ab0f5e332956f6f87ca5062aa3acd4739d9a6d3c33392", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "026d57f8-faaa-552f-ae4b-c54e7a8f8528", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621530Z", "creation_date": "2026-03-23T11:45:29.621532Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621537Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7236c8ff33c0e5cfa956778aa7303f1979f3bf709c361399fa1ce101b7e355b8", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "027a1ffb-92c1-5578-876a-1456143ef7ad", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469951Z", "creation_date": "2026-03-23T11:45:30.469954Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469964Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "16274f4d9293fff056268a2d53c1a2e27db26d6b643f24651b5f2a0c055b7f40", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "027d6a6a-7489-5e2f-b40d-df770288208b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479984Z", "creation_date": "2026-03-23T11:45:31.479988Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479997Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19429c971c279d564c84b24efadc66a0ccdea4e45cf0f795fb59f7b0e46387b0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0283cc9a-8dbe-577b-86d7-04cb2857605c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488240Z", "creation_date": "2026-03-23T11:45:31.488242Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488248Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a76f8d98f689166abfb86c50ff83f3f8693404f7c457de48d04cb6ccd4887ef5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "029772cd-05a0-58d0-9ad1-dd415300042b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488925Z", "creation_date": "2026-03-23T11:45:31.488927Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488932Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f2e64bd2c50f6032e070776b3687f7e3cb0a5c02c10ca54176ce7877c5bdf9c9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "029f8029-e5b3-59c0-b1f0-57af43acad0e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144700Z", "creation_date": "2026-03-23T11:45:31.144702Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144708Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "552ed099bb06f83c3a41a8963556800ec5a579be4f51bd5df9b945520a584d4c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "02adc0e1-b524-5bab-acad-928666181a01", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160952Z", "creation_date": "2026-03-23T11:45:31.160954Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160960Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "31ec72cdcf6dd4eb8642f8546cb9995a5f5c7d0afd5b89fad961697676e6ca8a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "02beeddf-cf27-5c70-b160-e06e0539a9ed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500064Z", "creation_date": "2026-03-23T11:45:31.500067Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500075Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "77641e765a14d98a2f06cb05400eddb086d49bdff7d809f193266a2ba0516113", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "02c3a900-6337-515e-ba02-ec79052cb575", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826901Z", "creation_date": "2026-03-23T11:45:30.826904Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826909Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d8291a0fdd796f6fe82fccbe4c7ee4dcc7d8e4927d40abe18ebcc61a9cb16fb1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "02c7fc85-ee32-5340-b2c7-3717749fedbe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477519Z", "creation_date": "2026-03-23T11:45:30.477522Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477532Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "16b591cf5dc1e7282fdb25e45497fe3efc8095cbe31c05f6d97c5221a9a547e1", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "02cda463-0ae0-5464-ab49-618f1c7f918f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479862Z", "creation_date": "2026-03-23T11:45:30.479864Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479881Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0dcdbdc62949c981c4fc04ccea64be008676d23506fc05637d9686151a4b77f", "comment": "Vulnerable NVIDIA Kernel Driver (aka nvoclock.sys) [https://github.com/zer0condition/NVDrv] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "02d2dd45-fc87-5295-ab1f-6c182b37e5b0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148700Z", "creation_date": "2026-03-23T11:45:31.148703Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148711Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b6ff9674ce64230ea72ef866594640115a7560d2ce969f24ff15e1cd818c5cb6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "02d36425-67b5-56c6-b285-9ea08ee85b87", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615118Z", "creation_date": "2026-03-23T11:45:29.615120Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615125Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7893307df2fdde25371645a924f0333e1b2de31b6bc839d8e2a908d7830c6504", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "02db34b9-8176-56cc-9398-df47a51ebb2f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155258Z", "creation_date": "2026-03-23T11:45:31.155260Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155266Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "06bb219d68e32c270b3cbaae0fd053c39febb0b6ae6f72df347e49c29c5183f8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "02dc9788-6aeb-5161-9bad-2c97e18b50ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825448Z", "creation_date": "2026-03-23T11:45:30.825450Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825456Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c9f9f49d85991f002fdeb6cf8424e5db99edc6e1ce3b9e28841307a497312dc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "02e43f36-0536-5d7c-8043-8dfeb7088a50", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829934Z", "creation_date": "2026-03-23T11:45:30.829936Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829941Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f6b1aeec2dcdc6bca062aebf012cc897e26615be007059dd098780b85977c91", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "02f123f7-7e0c-520c-a29c-c61b3cd2753f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472501Z", "creation_date": "2026-03-23T11:45:30.472505Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472514Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "73c03b01d5d1eb03ec5cb5a443714b12fa095cc4b09ddc34671a92117ae4bb3a", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "02f59a82-cfbf-5a27-9e20-0fb3c73f1515", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147147Z", "creation_date": "2026-03-23T11:45:31.147149Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147155Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "637f36fae18a32aac7c284249963f36ac67c049cb557541d3b24eabe2c77c6cc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "02fc09c8-a6ee-5c7f-a170-0f8d528f0bb5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147042Z", "creation_date": "2026-03-23T11:45:31.147044Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147049Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b2f91e1d9b4eaaf2037d10896d9a151fa1403c3c3efc03f6863a519b6d0bb4b8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "03197381-af7f-5ca5-8b90-947f8dedf145", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983086Z", "creation_date": "2026-03-23T11:45:29.983088Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983094Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3390919bb28d5c36cc348f9ef23be5fa49bfd81263eb7740826e4437cbe904cd", "comment": "Vulnerable Kernel Driver (aka nstrwsk.sys) [https://www.loldrivers.io/drivers/e9b099f6-8a12-46f0-a540-40e88cf0ce17/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "032b3a6e-5b72-588d-8eb6-ff6f05a5e666", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475798Z", "creation_date": "2026-03-23T11:45:30.475801Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475810Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b975bb2aeb265f1e943a9ca501fc76e2b4514e874ca449c0e59fb36bacf17159", "comment": "Malicious Kernel Driver (aka 6771b13a53b9c7449d4891e427735ea2.sys) [https://www.loldrivers.io/drivers/ddca6daf-4932-4e82-ad3c-d92d47632ea4/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "03451eda-7d3f-5e9c-b42f-189566de53ed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460822Z", "creation_date": "2026-03-23T11:45:30.460826Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460834Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e6a2b1937fa277526a1e0ca9f9b32f85ab9cb7cb1a32250dd9c607e93fc2924f", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "03462b63-efc5-5618-a732-13c397e187fb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835591Z", "creation_date": "2026-03-23T11:45:30.835593Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835599Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ac8b97d5da80ca7b0f325d0b9d28a1a97a21725ae81c8504cc50be50a3a00382", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "03488896-4b3f-54c7-861a-da48d7fe4ee6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147376Z", "creation_date": "2026-03-23T11:45:31.147378Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147384Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5f5bdeecabdf1c33c6f1263bc9a2f6e816eefb117b4d19dabd86743398abbce9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0360a8bb-1dd0-5e2f-9658-aebdb564b83f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476280Z", "creation_date": "2026-03-23T11:45:30.476283Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476291Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "834a3d755b5ae798561f8e5fbb18cf28dfcae7a111dc6a03967888e9d10f6d78", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0377aacc-9f0a-5094-a490-ef43f4ae4061", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499243Z", "creation_date": "2026-03-23T11:45:31.499246Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499254Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1a9a17986c8d36a2244538222be04858b5a3f23eef5f6484b6923e225874d564", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "037e14f8-b96f-50a6-9a57-2a4b0a01ef90", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452882Z", "creation_date": "2026-03-23T11:45:30.452886Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452896Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ec1307356828426d60eab78ffb5fc48a06a389dea6e7cc13621f1fa82858a613", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0398198d-ce88-5c5e-8b75-41a6e6640cbc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977018Z", "creation_date": "2026-03-23T11:45:29.977020Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977026Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "689995fe5db058b23ce5f421e9bc256377f40ada2b74c9c50672a54d1b98834e", "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "039b36fd-622b-5014-9afa-ca4ebb77f3d9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458521Z", "creation_date": "2026-03-23T11:45:30.458524Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458533Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "234fc829bfd4d8d5dca351be176f5a06cb29bbfd5632a93cc218936d32a44851", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "03b3f3a8-9979-56fb-b988-58051e45ea43", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613154Z", "creation_date": "2026-03-23T11:45:29.613156Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613161Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7f75d91844b0c162eeb24d14bcf63b7f230e111daa7b0a26eaa489eeb22d9057", "comment": "ASUS vulnerable UEFI Update Driver (aka AsUpIO64.sys and GVCIDrv64.sys) [https://codeinsecurity.wordpress.com/2016/06/12/asus-uefi-update-driver-physical-memory-readwrite/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "03bb5dd9-6232-5b30-baf4-6942e653836f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617609Z", "creation_date": "2026-03-23T11:45:29.617611Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617616Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "48d67eacca3ff6a4310f3164988b832ba7142021aec0d7a1b988be240b7ad170", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "03bb70a2-e818-51b1-a84c-69305b28b316", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478104Z", "creation_date": "2026-03-23T11:45:30.478107Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478116Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "992eb531739029456311043f99fa48ac896a59e70edc48093facaf3479e0c3f0", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "03bb82b7-08e3-52b2-aa32-b2cbc91aeeac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808239Z", "creation_date": "2026-03-23T11:45:31.808242Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808251Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "61939a658ad0d4d93fde596a40ef9e81e4b2d3833ca614d6216e8445741aef7a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "03dde572-6100-504c-a8c7-9dce7a9d4f53", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479583Z", "creation_date": "2026-03-23T11:45:30.479585Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479591Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "33c6c622464f80a8d8017a03ff3aa196840da8bb03bfb5212b51612b5cf953dc", "comment": "Vulnerable Kernel Driver (aka HWiNFO64I.SYS) [https://www.loldrivers.io/drivers/080a834f-3e19-4cae-b940-a4ecf901db28/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "03e7d81d-3ba9-5ba2-a30b-d225d2508d6a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978826Z", "creation_date": "2026-03-23T11:45:29.978828Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978833Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "22be050955347661685a4343c51f11c7811674e030386d2264cd12ecbf544b7c", "comment": "Vulnerable Kernel Driver (aka speedfan.sys) [https://www.loldrivers.io/drivers/137daca4-0d7b-48aa-8574-f7eb6ad02526/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "03f12abe-2f1e-5835-8784-c77cdb8167a0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143826Z", "creation_date": "2026-03-23T11:45:31.143828Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143834Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2256ff8815e0f956ecda7946b37aa28816f6ab6ef91db426de4e49055c0f3741", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "03f65d58-acc5-5747-9a2b-efc1f77662c0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821449Z", "creation_date": "2026-03-23T11:45:31.821451Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821456Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e19076fa8c2424904b383c36c73eadfb5dbbde610cbaef094e4928036ff8b39", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0403f78e-afc0-56b5-9a87-9ddd8bead19f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817462Z", "creation_date": "2026-03-23T11:45:31.817464Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817470Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "72190ae623520142cb34bfdc76b04b76bf1293ad7cc96827cb27b7c9cb44ac6d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "040d99da-dace-552a-b0d4-1406c2c8054c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973340Z", "creation_date": "2026-03-23T11:45:29.973342Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973347Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "32cccc4f249499061c0afa18f534c825d01034a1f6815f5506bf4c4ff55d1351", "comment": "Voicemod Sociedad Limitada vulnerable driver (aka vmdrv.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "041ff1cd-b3b9-5941-81b3-d0931f57ad33", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617913Z", "creation_date": "2026-03-23T11:45:29.617915Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617921Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1ce9e4600859293c59d884ea721e9b20b2410f6ef80699f8a78a6b9fad505dfc", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "04248533-2444-5e51-af83-9d552253ad9e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476493Z", "creation_date": "2026-03-23T11:45:30.476496Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476506Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd2f1f7012fb1f4b2fb49be57af515cb462aa9c438e5756285d914d65da3745b", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "043aab6e-63d3-5a52-9ff3-d9ce9f89ab42", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.471655Z", "creation_date": "2026-03-23T11:45:31.471659Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.471668Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8218462d1cd9f1c9815c7282600eb2dbc88215c56e3c2618e8784da29fb3ab04", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "04428a81-4f00-5fa8-95e6-a11ee8e7f984", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487162Z", "creation_date": "2026-03-23T11:45:31.487164Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487170Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "796b4afe7d3976ca2e6e680860f4b374b45db8e86499fff4ef4365ba36fee072", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "044f82e6-8799-596e-a713-905e8d9405c7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460550Z", "creation_date": "2026-03-23T11:45:30.460554Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460563Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ad0309c2d225d8540a47250e3773876e05ce6a47a7767511e2f68645562c0686", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "046ebb29-cf3d-5066-a846-2b9c28debf0b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617361Z", "creation_date": "2026-03-23T11:45:29.617363Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617368Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4780da56667e01cdd7eff83c23c772d68deb4d9fdb69d5302f556bb424151f51", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "047816b9-c437-5c9d-a035-9435722b434b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984638Z", "creation_date": "2026-03-23T11:45:29.984640Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984646Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "42e170a7ab1d2c160d60abfc906872f9cfd0c2ee169ed76f6acb3f83b3eeefdb", "comment": "Vulnerable Kernel Driver (aka BS_I2cIo.sys) [https://www.loldrivers.io/drivers/66be9e0a-9246-4404-b5b5-7fbde351668f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "047a07a6-c90d-557b-a1c5-a573e8d7d6c4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976517Z", "creation_date": "2026-03-23T11:45:29.976519Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976525Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2bbbe2ae5aa51868e7afc2c16c3a0a79fa3302e6830feeccca7f0363a62dddb4", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "047d8882-5302-5b74-9ce6-c818766e0e2a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479829Z", "creation_date": "2026-03-23T11:45:31.479833Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479843Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "739f9676a4d86b0f725f1ebd897777123947ef5c24cf1f2822ffe4fbe9acff5c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "04a3135d-7592-5d1a-9fda-e6e9d020538e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456277Z", "creation_date": "2026-03-23T11:45:30.456280Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456289Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "831b62145c21557928a694e6261e830f1545b5756ad51dcbd28a15fde570f4e7", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "04a3e689-0b75-509e-be90-19b1db24fea1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607165Z", "creation_date": "2026-03-23T11:45:29.607168Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607173Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1", "comment": "Dell vulnerable driver (aka dbutil_2_3.sys) [CVE-2021-21551] [https://github.com/SpikySabra/Kernel-Cactus] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "04aa5ae2-2d8e-5cd0-93cd-9702483d0a60", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830438Z", "creation_date": "2026-03-23T11:45:30.830440Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830445Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cccd9bc2995be22986e22253724bf11c73d7a19ff77343c695cd888ad976c3d7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "04aee2b1-21d0-5a6f-ab12-c524f6233464", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141415Z", "creation_date": "2026-03-23T11:45:31.141417Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141423Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "300dd42952024fcdc8d3bd90bd8892ba391b016f4f7f57543bda6d2ce12d371b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "04bc0990-91c5-5103-86cd-e58c14fa4ade", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454765Z", "creation_date": "2026-03-23T11:45:30.454768Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454777Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "25454028a4f56d3c58747811a86be43397a6290d1a053bc30d97b41bf3c58c6f", "comment": "Vulnerable Kernel Driver (aka jokercontroller.sys) [https://www.loldrivers.io/drivers/4c815256-2534-4476-b15d-7cbf24c80098/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "04ca5a1c-6ffa-5da4-8acc-3eec3abfdcbc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606917Z", "creation_date": "2026-03-23T11:45:29.606919Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606924Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1a902521c5f82ad9acac815229a00e6ed9137b8d49106b64147b088ff89d0f01", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "04d06975-93bd-5453-bdf1-ac7a5049d4ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615748Z", "creation_date": "2026-03-23T11:45:29.615750Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615755Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d82a938dc7b0077a06d940bd3ce6097e3b02cdc254ec6fd863c0e526f2af69fa", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "04e42d59-a467-5cc4-9bbe-3d1bbc3e1998", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454891Z", "creation_date": "2026-03-23T11:45:30.454894Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454903Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "407ca87833bd0931eec8005bb125e56d5765058c9b6422620aa95d8b2044239a", "comment": "Vulnerable Kernel Driver (aka NICM.sys) [https://www.loldrivers.io/drivers/0f8e317e-ad2b-4b02-9f96-603bb8d28604/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "04e603d7-2f2c-58b8-a465-e47c1484269b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985198Z", "creation_date": "2026-03-23T11:45:29.985200Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985206Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d852810a7319e3249077a1b9f1317f6f4157a19bb99b90063d118c30c2c84ac2", "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "04fa0d38-9059-5ef5-9bc3-d5c472e45a78", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153613Z", "creation_date": "2026-03-23T11:45:31.153615Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153621Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "67437ca0f3ca0fe5ae7bbce6fc834e0252a936035d3d57bc069830c9d3ee2e15", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "04fdd464-f581-5107-877f-047f8a476e12", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815473Z", "creation_date": "2026-03-23T11:45:31.815475Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815480Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eb121a1776e70ee10b82d6818e6e91cd53966c498677c7d261b40d064be60831", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0506e24a-c838-5717-b346-0cf6040f7795", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969819Z", "creation_date": "2026-03-23T11:45:29.969821Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969826Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f6cb70c945e7b3723de1d334aa2fb97bb8ddb9f68e409deeb9988f446546a57c", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "05076b32-cce0-5681-b423-97d1f96778bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468611Z", "creation_date": "2026-03-23T11:45:30.468614Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468622Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "94f4bcc9b062406ee7468659c1710d3e0cb057c7b7194e15cd72845082138019", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "050cac9e-59ad-5881-a7b5-0a1b027ab859", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816635Z", "creation_date": "2026-03-23T11:45:30.816637Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816643Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "defde359045213ae6ae278e2a92c5b4a46a74119902364c7957a38138e9c9bbd", "comment": "Vulnerable Kernel Driver (aka avalueio.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0512b663-3484-5dd8-9571-f68300078c85", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490919Z", "creation_date": "2026-03-23T11:45:31.490922Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490930Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a222868df05c425df8ac6b7945405c4ed61d9f81f0789171869226d156e9ac24", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "05198561-b1db-5967-80b8-dc2c6b472487", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808865Z", "creation_date": "2026-03-23T11:45:31.808885Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808891Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "746900af78ec0d7904d0cbb3969281cfb1d5ebedd53017cae6a27509062b8066", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "05223dc4-5a8f-5cf8-9bb1-e4b41b418668", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156887Z", "creation_date": "2026-03-23T11:45:31.156889Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156894Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18357003448d4db822b5eea10eefa18fd78646079ebd338a9e7ee210542b1103", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "05272034-3189-51b2-a78a-1db537f5995f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150686Z", "creation_date": "2026-03-23T11:45:31.150688Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150694Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "83830685970d9094f7605289cfd06dcf1741e233216fd7dc2e43f0d3b0c90d79", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "05323ac5-24e5-5052-8c24-e4de8f07eb7e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160345Z", "creation_date": "2026-03-23T11:45:31.160347Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160353Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bed676cce59f13fe1ae3c07b1897deaba401840d822af8021790440eb9f3b7e2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0537b285-3d55-5512-afa9-b2deb2a4bfd2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146565Z", "creation_date": "2026-03-23T11:45:31.146567Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146572Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2946278067a6a60d88d842bfb9134731c73fb7accf734120182263cb785a4daf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "053923c3-5b72-51e5-9fbe-697e1af0393c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483064Z", "creation_date": "2026-03-23T11:45:31.483068Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483078Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a1d12f7b06088c56e4ced1296b0d9614b1fa3042fcbb964685514dff0b297730", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "054436d8-92ca-5d17-ac0a-21b765e4cba5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613910Z", "creation_date": "2026-03-23T11:45:29.613912Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613918Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c3fa4872fd2c286904a0cf37a392ef89fb6ba2a84fc9e1b66c70e0cb5ae28efa", "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "054948f6-8d70-5ed0-9f64-0e63617990ae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143183Z", "creation_date": "2026-03-23T11:45:31.143185Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143190Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a38dbf377d4371911959762bc856b04ef38ee54b53b5b327977ccf23fec6c5b6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "054fa1a1-6520-5ad2-bdb7-67da9220ff65", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970019Z", "creation_date": "2026-03-23T11:45:29.970021Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970026Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "68043583bc2f3fc1ca11458e8b921dce2573afdc04bd20ba85eeb806d884eb6f", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0554a339-a44b-501b-8cdd-10413c5c5ccf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828257Z", "creation_date": "2026-03-23T11:45:30.828259Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828265Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9d82863d3837c0074fd60fbf8ed69f082a0681d4d9945eba8488e8482c8bba31", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "055d0196-ad4c-52c1-9717-dd839c89c121", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151195Z", "creation_date": "2026-03-23T11:45:31.151197Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151202Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f83e9c4122d25e9d32087c77d9391b46974b3d7090f369529ff2354d7d215b39", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0569fc76-6e58-5438-afe0-d117c1069bf3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609630Z", "creation_date": "2026-03-23T11:45:29.609632Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609638Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "76660e91f1ff3cb89630df5af4fe09de6098d09baa66b1a130c89c3c5edd5b22", "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "05815517-72b3-5d65-81bb-6bacf04e9085", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617816Z", "creation_date": "2026-03-23T11:45:29.617818Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617823Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "afdd66562dea51001c3a9de300f91fc3eb965d6848dfce92ccb9b75853e02508", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "058a7d7d-4b10-5ea9-b083-f536323e74c9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808969Z", "creation_date": "2026-03-23T11:45:31.808971Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808976Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b180e7871f6fbdc5fc8eac158a2a529b706bcf5ee60a34865574617de96c2ef5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "05a40ccd-8930-52a7-bd25-aef204aa96a6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476371Z", "creation_date": "2026-03-23T11:45:31.476376Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476386Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "95d668bd3b2131b48b8938b1083279d5c56a29214912556ca22d385d3933a32c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "05a5c571-fabf-5a83-81d8-823e0d240d3c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821583Z", "creation_date": "2026-03-23T11:45:30.821586Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821595Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "00d9781d0823ab49505ef9c877aa6fa674e19ecc8b02c39ee2728f298bc92b03", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "05b26c98-7a11-5ae0-82c1-cb750152c462", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485451Z", "creation_date": "2026-03-23T11:45:31.485455Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485465Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e71d4c24fab2ccffcf694066bb773a7591d682be6644f555df69325cba136f3b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "05b2fe91-6886-550d-b2c3-ff25e8135ea3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816549Z", "creation_date": "2026-03-23T11:45:31.816552Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816560Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae0ea2defb5399b26e18586ec288ed28fc67b8f8d46fbf3080b6b77d3a6d33f1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "05b8773f-6980-531a-b1ca-2e4a589c9d2f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831658Z", "creation_date": "2026-03-23T11:45:30.831660Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831666Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "329393b1ef53053dc6ee1202355fda1446e4da10f0488b6107ffff4638b8a010", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "05c418e8-7a2e-5be1-ac62-b585d58a8ea2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478346Z", "creation_date": "2026-03-23T11:45:30.478349Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478358Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "775000c4083c8e4dcfc879d83fcd27b40b46820c9834ae4662861386a4d81fe9", "comment": "Vulnerable Kernel Driver (aka vboxdrv.sys) [https://www.loldrivers.io/drivers/2da3a276-9e38-4ee6-903d-d15f7c355e7c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "05c4cbca-396e-52e4-9737-cacdba3d2697", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827107Z", "creation_date": "2026-03-23T11:45:30.827109Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827114Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b8f3814646ffa58ca9729760b5e0d37396273a0649583cbad1f72909fa452892", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "05cf2af0-8a0e-50a9-be37-4e57d392de47", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605376Z", "creation_date": "2026-03-23T11:45:29.605379Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605384Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "filename", "value": "kprocesshacker.sys", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "05e7fd7d-2794-5963-acae-125e302754e6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978773Z", "creation_date": "2026-03-23T11:45:29.978775Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978781Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3913d9754b78182aa25d38fbd7ea02502bdf1d81e6525ab4b5ffe5f543200478", "comment": "Malicious Kernel Driver (aka gmer64.sys) [https://www.loldrivers.io/drivers/7ce8fb06-46eb-4f4f-90d5-5518a6561f15/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "05f6a82d-e43f-51d3-907a-e07fd0e52c29", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160623Z", "creation_date": "2026-03-23T11:45:31.160625Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160632Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "555c77bc0c4f700d6b5dde9e0fade8366187ead215f4a5f15378d6e4395f3d7a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "05fe4632-59a6-5051-8754-21c32a8cdd48", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150106Z", "creation_date": "2026-03-23T11:45:31.150108Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150114Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fa3511eb499b94646617a2bb4254c5e435bb8fcdc706d6ee0bc3019907c21146", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "060d23a5-7edc-51a4-b217-f718b7894f21", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146474Z", "creation_date": "2026-03-23T11:45:31.146476Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146482Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "62e71e3ec19c2a37a1ab793cb11c84f6de3c2b33765b1eba8b281a55677a97a4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "06108c7f-8ef1-50d8-9153-e017dc1456a4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830107Z", "creation_date": "2026-03-23T11:45:31.830109Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830114Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "654a050581e50d3be2d714ad9012d01f88024298b46c1bae50a556fa16345776", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "061cbb6d-0e35-5277-a7ce-2fdeb0b2988a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143236Z", "creation_date": "2026-03-23T11:45:31.143238Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143243Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6f021fb4514087b1b6b11ea6b5a9c5edb589900c61448fff4e213fcea0cba6a7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "061fddfc-1028-5872-ad98-bc3b268b440e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618620Z", "creation_date": "2026-03-23T11:45:29.618622Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618628Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3ac5e01689a3d745e60925bc7faca8d4306ae693e803b5e19c94906dc30add46", "comment": "Vulnerable Kernel Driver (aka fidpcidrv64.sys) [https://www.loldrivers.io/drivers/a005e057-c84f-47cd-9b4b-5b1e51a06ab4/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "062c715f-e8a4-531d-8989-505021f79c89", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453103Z", "creation_date": "2026-03-23T11:45:30.453106Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453115Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "00b3ff11585c2527b9e1c140fd57cb70b18fd0b775ec87e9646603056622a1fd", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0630d6fc-0fd0-5e82-8113-b70a8cf8c82f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825734Z", "creation_date": "2026-03-23T11:45:31.825736Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825741Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "34f43f48836d007907b570556ef8374485de44c0772a31b4bfb3da0d9fb0cad7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0635e83a-2aa2-5fb7-91e2-b9a931abca1b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618677Z", "creation_date": "2026-03-23T11:45:29.618679Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618684Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b62ecd7eccde402456eab582b49705cc77065d7015e7d92bbc06e0fcff097e58", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "064ad0c1-53c5-5170-be1d-a62adc279719", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487943Z", "creation_date": "2026-03-23T11:45:31.487945Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487959Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "caccf1965f77b49df12b2620952d6806bb8371ec6e344b055cad624318b75b99", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "064da8f4-2bdb-599b-a329-95e44e4a3bb4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462469Z", "creation_date": "2026-03-23T11:45:30.462480Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462489Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "36487117894ca7b93f704e26f22725827f6f04ec3b8c45eaa0d283a11de9a9c3", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "06509c64-b674-55d4-9c17-499f4545c9aa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616273Z", "creation_date": "2026-03-23T11:45:29.616275Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616284Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "065ffb3c-2da3-51ee-be53-e962555d4e02", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984244Z", "creation_date": "2026-03-23T11:45:29.984246Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984252Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9ee33ffd80611a13779df6286c1e04d3c151f1e2f65e3d664a08997fcd098ef3", "comment": "Vulnerable Kernel Driver (aka EneIo64.sys) [https://www.loldrivers.io/drivers/90ecbbf7-b02f-424d-8b7d-56cc9e3b5873/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "06615c0c-228f-512b-8133-3a258f2de2cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143687Z", "creation_date": "2026-03-23T11:45:32.143689Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143695Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3f085bc766d865fa012163ed7c044af25285525b1276b6cef2085efab78e9b66", "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "06687483-5a24-5d21-ac75-81bdb46e0b2a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829628Z", "creation_date": "2026-03-23T11:45:31.829630Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829636Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e4b9295eef82a88012a2ae5a1987e3050a5b9a16862b7772c2f48bd2e36f7cff", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "066e77b3-da67-5b0f-8311-335135a536fa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816575Z", "creation_date": "2026-03-23T11:45:31.816579Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816587Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "539bc7e214d332c57c6f15612866fcc28ea26a98b59e9ef61a5c1741ab221ae0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "067cf797-ab30-5ff8-94d0-01f304adb096", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971361Z", "creation_date": "2026-03-23T11:45:29.971365Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971374Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7cb594af6a3655daebc9fad9c8abf2417b00ba31dcd118707824e5316fc0cc21", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "068025b9-3a38-50b5-9a3b-30c14ea6e256", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975931Z", "creation_date": "2026-03-23T11:45:29.975934Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975939Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b4c2ef76c204273132fde38f0ded641c2c5ee767652e64e4c4071a4a973b6c1b", "comment": "SystemInformer driver (aka systeminformer.sys, formerly known as kprocesshacker.sys) [https://github.com/winsiderss/systeminformer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0684151d-6de4-527e-adf7-c98ac1e3b1eb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829433Z", "creation_date": "2026-03-23T11:45:31.829435Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829441Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ad1486d7f98a6c3723196c246bf6997ccac65a46c2b0eb79ff638f594bb3193", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "068d19c5-1273-56a5-81df-8df7b3d9b6e6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460437Z", "creation_date": "2026-03-23T11:45:30.460440Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460449Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7149fbd191d7e4941a32a3118ab017426b551d5d369f20c94c4f36ae4ef54f26", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "069b5c6f-9cdb-5e03-98cd-5b855cba23cc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819289Z", "creation_date": "2026-03-23T11:45:31.819293Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819302Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d92522c737592f306d1361c32ff88470940dd28a81ff26ce464a65d5c6b0b80a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "069be0f5-50b9-564f-b101-2d441e5020eb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814631Z", "creation_date": "2026-03-23T11:45:31.814634Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814643Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0636235b2705c062810212da1f50ef48a53433ca1aa27ed04b65539d219769ef", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "069d944e-0a8c-56cc-872d-15d7966e0a0f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150269Z", "creation_date": "2026-03-23T11:45:31.150271Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150276Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b36081d2fbb90148de42923ba0fef9165e92505fe39971eea9bb544db0ce6de6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "06b1e1b0-b95d-5ed5-ba98-c64b2146cf0c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152010Z", "creation_date": "2026-03-23T11:45:31.152013Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152021Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9a5c065d6e28c1e2d58765df1753e0dbbd0d8270ee2eb777dfd33d76bf200b57", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "06b39c46-093d-5e0f-aeaa-c7b862143f34", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480151Z", "creation_date": "2026-03-23T11:45:30.480153Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480158Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5868cb3bf5d5a9237e29210218d3d93683c0e4894bc48685ac7d84a1e25e0462", "comment": "Vulnerable Kernel Driver (aka IoAccesssys.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "06b75643-0b71-58c6-a3d7-0dc1020a0b1c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500814Z", "creation_date": "2026-03-23T11:45:31.500817Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500826Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "875de01289c469352f683580a0bf2d0cb46ccb242eb78424956679b18842270e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "06d7bad1-e0f4-590f-be2c-1f6e6ce0269c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154229Z", "creation_date": "2026-03-23T11:45:31.154231Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154236Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "db31d8cc945c9871612d19f2db3b16f81fbd19efc0e710b37057f6153b4fb2c5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "06da109a-4a6a-55fa-b81e-7187d7fbbe5a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816090Z", "creation_date": "2026-03-23T11:45:31.816093Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816101Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2b439a7f4cac2b13180a145873d791e2b6f71b2e10ef7117436a1ceae17bb733", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "06ddbcd6-e4c7-5d2f-9d12-0028d34a86ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828383Z", "creation_date": "2026-03-23T11:45:30.828385Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828391Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "58db1e62698a87fda67b49fca76baca5b5991685b22565fb83e26edef5827997", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "06e48ac1-5837-5653-807c-b98c17b3be68", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611184Z", "creation_date": "2026-03-23T11:45:29.611186Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611191Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c0ed71b491aec860932fe92e5527ef444d537b396186ac839d5ed0884cfcaf0c", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "06e5551b-cad2-5391-80ad-09213f824ab8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500682Z", "creation_date": "2026-03-23T11:45:31.500685Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500693Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1327894d938cb090f79aff77edb58dab33244b4158f042852b9353f4ddec3697", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "06ec01ee-9855-5b31-9063-8d347cdf93c0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822998Z", "creation_date": "2026-03-23T11:45:30.823000Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823005Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "45e5977b8d5baec776eb2e62a84981a8e46f6ce17947c9a76fa1f955dc547271", "comment": "Vulnerable Kernel Driver (aka SysInfoDetectorX64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "06f304f3-94d0-5ba8-a96b-9f91c7e15916", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828689Z", "creation_date": "2026-03-23T11:45:31.828691Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828697Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "43dce6bb47503971e9de906e464925e35e321fb409ad20d2dc27e45ddcfe6552", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0708b8a3-4bfe-5319-925f-0f7d1d2c45c9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151229Z", "creation_date": "2026-03-23T11:45:31.151231Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151236Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a8989fd8122bea54c9912f1171658e29a7e4f4cd5d19f899d397a706deca8208", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0713656e-1889-5974-9456-84ca4212956f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608206Z", "creation_date": "2026-03-23T11:45:29.608208Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608213Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7bd50bd6388e371414ed7d36238a60d30eaa7abf539fcf6d70617405f53a0133", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0719fb7b-da47-5076-84b9-b266312d34c6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480144Z", "creation_date": "2026-03-23T11:45:31.480148Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480156Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ba96a1e0c038852bef36e857e1cff58576f62e59d8248da0f133414f4f9451f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "07225064-f2e3-5a1c-a966-079de817f649", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974486Z", "creation_date": "2026-03-23T11:45:29.974488Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974494Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "62d1ca62fb251b1eeda5d2577719414e6e26d4afdc5f3df3faf3b35de5cb9506", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0740f142-db65-5cd0-8ed3-229b2f429382", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146985Z", "creation_date": "2026-03-23T11:45:32.146987Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146993Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "011df46e94218cbb2f0b8da13ab3cec397246fdc63436e58b1bf597550a647f6", "comment": "Vulnerable Kernel Driver (aka TPwSav.sys) [https://www.loldrivers.io/drivers/c0634ed7-840e-4a7e-8b34-33efe50405c2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0744783d-46d4-542e-8ba7-284a1e9397d1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466748Z", "creation_date": "2026-03-23T11:45:30.466752Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466761Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1a5c08d40a5e73b9fe63ea5761eaec8f41d916ca3da2acbc4e6e799b06af5524", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0748a661-bbaa-54af-a1a9-1711c94c0919", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604682Z", "creation_date": "2026-03-23T11:45:29.604683Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604689Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6a234a2b8eb3844f7b5831ee048f88e8a76e9d38e753cc82f61b234c79fe1660", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "07522169-0903-5d7a-a258-9894793239db", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613188Z", "creation_date": "2026-03-23T11:45:29.613190Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613196Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "70870e20f563899e4f05be2d0049cb495552b409ca7f4729a335bcbfffc3f47c", "comment": "ASUS vulnerable UEFI Update Driver (aka AsUpIO64.sys and GVCIDrv64.sys) [https://codeinsecurity.wordpress.com/2016/06/12/asus-uefi-update-driver-physical-memory-readwrite/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0760d845-aa17-5f17-8fef-68d93506d3e3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455304Z", "creation_date": "2026-03-23T11:45:30.455307Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455316Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c509935f3812ad9b363754216561e0a529fc2d5b8e86bfa7302b8d149b7d04aa", "comment": "Vulnerable Kernel Driver (aka VBoxUSB.Sys) [https://www.loldrivers.io/drivers/70fa8606-c147-4c40-8b7a-980290075327/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "07664fd3-e35f-5924-9b44-fff36b1833a4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474208Z", "creation_date": "2026-03-23T11:45:31.474211Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474220Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "40168b00f67f66299e0dd90821d58cc99847b240cbdc5e55798d3faf8b517323", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "076fa59c-9e94-5898-9e7c-12b71b877968", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478443Z", "creation_date": "2026-03-23T11:45:30.478447Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478456Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "73fddd441a764e808ed6d6b8f3d0d13713e61221aa3cfef7da91cdaf112fe061", "comment": "Vulnerable Kernel Driver (aka vboxdrv.sys) [https://www.loldrivers.io/drivers/2da3a276-9e38-4ee6-903d-d15f7c355e7c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "07756c08-9011-51f9-83f6-0429ff62bac5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156126Z", "creation_date": "2026-03-23T11:45:31.156128Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156133Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e78e5d3343d079a8de332bf643119f9620744a02fa2996b9516388a104fa0acd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "07850c35-b85f-58e0-8a78-3b9c6143b808", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488673Z", "creation_date": "2026-03-23T11:45:31.488675Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488680Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fd2a221d679d56af948c3a60cbd005dce7efbcd1f99a07e06d3eba48691379b3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0788752b-690e-5df5-ac06-4bc27d3e8633", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467296Z", "creation_date": "2026-03-23T11:45:30.467300Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467309Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c24f503462a98f7a8bf0dbff0c8242e1f3d4e6cdf4327152f508717f0eafee4b", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0788872b-1998-5761-aec0-acf2cc5feb97", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482760Z", "creation_date": "2026-03-23T11:45:31.482764Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482775Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "598c6c1cb3fecd7406a21d28b231e24bf7803ebe7e460772add3a87819a59b88", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "07a1edee-53c2-5aa8-84c6-1005c2d1246a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146241Z", "creation_date": "2026-03-23T11:45:31.146243Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146249Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f9f79647f8e09c23efd21d85cded1c6d91ff47bcb16875891373d700c9e644bc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "07a3621e-4039-5039-af12-13c8237a7916", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972988Z", "creation_date": "2026-03-23T11:45:29.972990Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972996Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "82fbcb371d53b8a76a25fbbafaae31147c0d1f6b9f26b3ea45262c2267386989", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "07a416f8-07e9-50e0-b38f-6eca0bb0b241", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817250Z", "creation_date": "2026-03-23T11:45:31.817252Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817258Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "505264db711d807080156698d019b75f7cd384775a7cec86d078cbe6e933dee8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "07a69adb-f0ad-58c3-bb73-3d07382bf3a2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605210Z", "creation_date": "2026-03-23T11:45:29.605212Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605217Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5ed37798f26ed2db67c01ae5229da39071e6130f495dfff733f9353f657f1c59", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "07ac79fc-c673-588b-8e41-55615dcec095", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828649Z", "creation_date": "2026-03-23T11:45:30.828652Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828657Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d0eed7d4a655baaf39a130beb78fbe1791a0b438ad13405fd5a1594127e4c01", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "07c62b9a-7c5e-5f33-b40c-c4b59a8656a4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825610Z", "creation_date": "2026-03-23T11:45:31.825612Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825618Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a2c83c208933e42e27a4be03b0f9b734c36339e48841f9fe47a5282eb17e47da", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "07ca592e-16aa-589f-be76-6e0d2c6cd8c4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973923Z", "creation_date": "2026-03-23T11:45:29.973925Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973931Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b773511fdb2e370dec042530910a905472fcc2558eb108b246fd3200171b04d3", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "07d6b9c1-6ddb-5113-a232-13e682d6f3d5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817977Z", "creation_date": "2026-03-23T11:45:30.817979Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817984Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b2bc7514201727d773c09a1cfcfae793fcdbad98024251ccb510df0c269b04e6", "comment": "Vulnerable Kernel Driver (aka sepdrv3_1.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "07de29c1-1825-5bec-950a-12b06fcec1a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821134Z", "creation_date": "2026-03-23T11:45:30.821137Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821146Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "898e07cf276ec2090b3e7ca7c192cc0fa10d6f13d989ef1cb5826ca9ce25b289", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "07ea975a-45fc-52cf-995b-96cfd5923226", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815123Z", "creation_date": "2026-03-23T11:45:31.815125Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815131Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7ad1dceb988c6c081726e950d2f420e2dac21c59160cc7919106e14988203cc6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "07ede0ac-ff29-5f78-9ec5-d97b29a62b77", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821210Z", "creation_date": "2026-03-23T11:45:31.821213Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821220Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "64da70b335897e3bc806bb4745fcc44fc80f3632edd418cb9ade3669cf29034b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "07f2152c-8bdd-5451-87e2-bcfdbf7bb255", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820108Z", "creation_date": "2026-03-23T11:45:31.820112Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820120Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fde6f8995ea6d7573471f2f60eed14d70759b3285543fb253fc1485d08982933", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "07f73354-d356-5aca-b81c-889280b682bd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618288Z", "creation_date": "2026-03-23T11:45:29.618290Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618295Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c188b36f258f38193ace21a7d254f0aec36b59ad7e3f9bcb9c2958108effebad", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "07fb1fa8-aef7-5519-8e01-94f1164526e7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808987Z", "creation_date": "2026-03-23T11:45:31.808989Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808995Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b6c7ad757caca0914847acb9672482005ef5ddc453484d54f6938ab1c594b7df", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "08096db0-82c5-517d-9220-26d4a0decc85", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479422Z", "creation_date": "2026-03-23T11:45:30.479424Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479429Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "38d6d90d543bf6037023c1b1b14212b4fa07731cbbb44bdb17e8faffc12b22e8", "comment": "Vulnerable Kernel Driver (aka segwindrvx64.sys) [https://www.loldrivers.io/drivers/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0810700b-96ed-5d09-b71e-0a8e87cdba4b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499162Z", "creation_date": "2026-03-23T11:45:31.499165Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499173Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bff977eab714911c400790b58513565952885cb348237de101a172474016cf64", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "082b28c9-c335-5397-af2b-d62ebfaeb8d4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815011Z", "creation_date": "2026-03-23T11:45:31.815014Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815023Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2c3cf064c8167dc82ee144f01483c4b870252318d23c1d1439cdcc36bbe639a4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "08318274-0a03-57b7-a98a-aa4a6031b930", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617323Z", "creation_date": "2026-03-23T11:45:29.617325Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617331Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "248dcc72d799d350d30b0f9e9ae93389cdcd11b43e38949ba9be414400657587", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "083bb25d-92c0-5ecf-891b-4a75f07b4bd5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153924Z", "creation_date": "2026-03-23T11:45:31.153926Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153932Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "93df5db6037d76c3dabdb6b8dd384665f62ae8381d24b35e220fee93c2c715d7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "083f4573-950b-5aa8-abf6-0deae5fc923f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488292Z", "creation_date": "2026-03-23T11:45:31.488294Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488300Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8f7afd13d94d7c73dc4585456c1fb2abbecdc154434198f8a19a7950b724382b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "084330c4-8397-5052-84fd-e91be2d9b91c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828632Z", "creation_date": "2026-03-23T11:45:30.828634Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828639Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1b2ef93d0b7bba53f358dc2f7bdc1033c1925842966f21f8a6ccb2b3fe30065e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "08486284-66b1-5497-b97e-82a02a91d22e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616939Z", "creation_date": "2026-03-23T11:45:29.616948Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616958Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "96cb847fab0befab75a6f39080dd444d022d4bec73017c9d7187fe6282a0faa1", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "08603510-e98f-56f5-906b-7f210979c9f6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811701Z", "creation_date": "2026-03-23T11:45:31.811705Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811713Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b292a62ad8f320fcf9327b1bde23c360b843778c905a0b0633ea30044a6a7457", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0862fa33-7f89-5c24-88c8-70226a1264b3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810769Z", "creation_date": "2026-03-23T11:45:31.810771Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810778Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d6a09e5c1b36a57a0aa46f469b52dbc60df21cfb92985a7abf26104996b6d5dc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "086618ac-fcc9-5e93-ac97-83dc65dd6962", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617431Z", "creation_date": "2026-03-23T11:45:29.617433Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617438Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "be66f3bbfed7d648cfd110853ddb8cef561f94a45405afc6be06e846b697d2b0", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "087404c1-b0b2-5fd4-b89c-246111c321c5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143927Z", "creation_date": "2026-03-23T11:45:31.143929Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143935Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "deee9c8f018d7d2fa18e5409ebfc85dca0dd9600b94774f998ef0cd5bce77080", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0874a627-74b7-5900-a9e5-d756636da0a2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498684Z", "creation_date": "2026-03-23T11:45:31.498687Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498696Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "46dae2e1e9e040eec78cbf74c5b7adf5e34796e94869de2668c47c770f1c4ab3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "08828464-2abd-5763-9d16-8ab03b62390b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465057Z", "creation_date": "2026-03-23T11:45:30.465060Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465068Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6964a5d85639baee288555797992861232e75817f93028b50b8c6d34aa38b05b", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "08832b6b-d7db-5517-9dfd-1f031ccee6cd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980664Z", "creation_date": "2026-03-23T11:45:29.980666Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980671Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "def61560c0650717cb1da923f0d674b363b8f2051247719b34f06744bbb79000", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0884b735-d5f9-5bd1-8f5a-d4247e2ef3ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980621Z", "creation_date": "2026-03-23T11:45:29.980624Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980633Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "af9c600edb134fb8f21d585bbf7d0a4d3f1b792b6dd104c10d38f220f47671f8", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "088e8227-4f7f-5737-b5ba-ad3afd6c2d85", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982432Z", "creation_date": "2026-03-23T11:45:29.982434Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982439Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9c6213a8222f087be42f493e37edf17e261e9afa0c832d05f3f1f54a318f60d2", "comment": "Vulnerable Kernel Driver (aka windows7-32.sys) [https://www.loldrivers.io/drivers/b45a3fdf-592a-4cd9-81e2-8fe03d554cad/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "089e5840-ad92-5edc-8191-b5c53fb79121", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491654Z", "creation_date": "2026-03-23T11:45:31.491657Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491664Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ad6b609b08a46738958bdcd3158b2697934fbb65ddb15b59bb1fe9810b7578b8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "089f5567-cea7-5a45-bb55-c00308a7b090", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976173Z", "creation_date": "2026-03-23T11:45:29.976175Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976181Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "08a8b7b8-39d6-5e3b-a1e4-482bb4a1544b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810593Z", "creation_date": "2026-03-23T11:45:31.810595Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810601Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "78086b63e901f3f8d086a54b6e3868494026520843463ba084e48e1271b295dd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "08c1369b-4330-5170-9a55-21041727e016", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830420Z", "creation_date": "2026-03-23T11:45:30.830422Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830428Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "32b7268733588e5884d01ab8a29bae20ce6d412711950281774dd727ff7fdbf2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "08cbe670-69a1-518c-a194-467265f6cf8e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612266Z", "creation_date": "2026-03-23T11:45:29.612268Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612273Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec", "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "08f48dfd-3718-5538-9db9-331f5068241b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807965Z", "creation_date": "2026-03-23T11:45:31.807968Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807976Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "78d78ad77ac2cae14b0faf8638c5fd649afef26bbc0893ae35987dac465b4bc1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0924a07f-49fa-5aa8-ac72-8adb0447f984", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820030Z", "creation_date": "2026-03-23T11:45:30.820032Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820037Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2affa6b703f0491a44d6b7b09dfab83b36ac06979810665aaf7dd2913964c44d", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "092bf522-64cf-58d7-9ec6-21bd8a63ff22", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454182Z", "creation_date": "2026-03-23T11:45:30.454186Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454195Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "75e539170a00e447842a85441be36dc9e1fa81a3f6386806f3d90e7b4cca1ac1", "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/bc5e020a-ecff-43c8-b57b-ee17b5f65b21/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "093050fb-e014-5b6c-bc7a-eaec7e6d2bed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459680Z", "creation_date": "2026-03-23T11:45:30.459684Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459692Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a2096b460e31451659b0dde752264c362f47254c8191930bc921ff16a4311641", "comment": "Vulnerable Kernel Driver (aka viragt.sys) [https://www.loldrivers.io/drivers/39742f99-2180-46d7-8538-56667c935cc3/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0937fde1-6c10-563d-8c36-b9fe95661faa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605043Z", "creation_date": "2026-03-23T11:45:29.605045Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605051Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1a34c260e59a33c93b89417344f943a2d1dfb0006359a6fc946a41d0e9d36a55", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "094374ed-37c6-5e53-82f1-8197905cdc0d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977261Z", "creation_date": "2026-03-23T11:45:29.977263Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977268Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5", "comment": "Malicious CopperStealer Rootkit (aka windbg.sys) [https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0945e067-efd2-589b-b659-84177636ba9d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615031Z", "creation_date": "2026-03-23T11:45:29.615033Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615038Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f088b2ba27dacd5c28f8ee428f1350dca4bc7c6606309c287c801b2e1da1a53d", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0954e921-cad3-5e67-bbe4-f4eb3688a90c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490102Z", "creation_date": "2026-03-23T11:45:31.490104Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490110Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6f3f1ffc8021b028288ce44c4f5cf948538587f3c8150de34c2685f487ce184c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "098bf438-d172-56b8-bc7f-88b7a2bd2f52", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828601Z", "creation_date": "2026-03-23T11:45:31.828603Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828608Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9337b3565c8221513bddfa2454c6657438b42231b0482a9fc7d8f16b0ecd25f6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0991e203-e53b-56b3-8788-ebd56ca7696e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156921Z", "creation_date": "2026-03-23T11:45:31.156923Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156929Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "322d5a01c73af710e2ffabdb1622201b55025ea106b8c876ffc9b4bda156ff58", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "099233ba-9eb3-5001-a197-f2d85d26ec98", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832549Z", "creation_date": "2026-03-23T11:45:30.832551Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832557Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18bc25605b2b6fc7195a7606a7ca6a22002e5e6ce7b864e33b08256fa3cfc0f7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0998903c-fe2c-51af-9b1a-d6b598b200ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970837Z", "creation_date": "2026-03-23T11:45:29.970840Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970848Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0713a541b70f58bbcd1807c69ae855e9ce041b807e34978df6c1e9357c53acef", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "099b45a0-daf7-5809-8286-0a614edf0f89", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460379Z", "creation_date": "2026-03-23T11:45:30.460382Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460391Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0e10d3c73596e359462dc6bfcb886768486ff59e158f0f872d23c5e9a2f7c168", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "09a0762e-2166-5697-845e-bef85c448ffc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475769Z", "creation_date": "2026-03-23T11:45:30.475772Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475781Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a2d32c28eb5945b85872697d7cfbe87813c09a0e1be28611563755f68b9cb88b", "comment": "Malicious Kernel Driver (aka 6771b13a53b9c7449d4891e427735ea2.sys) [https://www.loldrivers.io/drivers/ddca6daf-4932-4e82-ad3c-d92d47632ea4/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "09a35e83-2f7a-509d-aaad-9a6dc1a143d5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143485Z", "creation_date": "2026-03-23T11:45:32.143487Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143493Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0cb429e6daaba89111d2edb3e01ef1d8ac9b90813b9d80292fe8050287a63146", "comment": "Vulnerable Kernel Driver (aka wsdkd.sys) [https://www.loldrivers.io/drivers/a8f2da2a-369c-4b4d-9a00-d7a892b9f7c3/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "09a9b916-bd7b-5052-af92-0252a6b02915", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829324Z", "creation_date": "2026-03-23T11:45:30.829326Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829331Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d4213c339e98d7f0f363dcfc282b8bac31c67870f7d877a6c7215dc2119660fa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "09b0c853-85bf-54cd-a518-6abb579425f4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621564Z", "creation_date": "2026-03-23T11:45:29.621566Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621571Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7e3b0b8d3e430074109d85729201d7c34bc5b918c0bcb9f64ce88c5e37e1a456", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "09c2585e-54b7-5a6d-9c74-43e356a1f07d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491007Z", "creation_date": "2026-03-23T11:45:31.491010Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491018Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "afa9b3a1cb40dce9b9b524a72376159f9defcb47f29330afccec9bfb616227d8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "09d1c951-b169-5cb7-b910-d7dda62c52fd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608579Z", "creation_date": "2026-03-23T11:45:29.608581Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608586Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f6b082a294c1a85bf69a3f4a7e20536291372b53569bd562f1008eb5cf7228cd", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "09dc31e7-127d-586f-a47d-53c043066582", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146222Z", "creation_date": "2026-03-23T11:45:31.146224Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146229Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "febbb87b9c9081515f8b70e7bbd1f22ea0ec89f5cf5e2f0dc2e129fa48126130", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "09f49d45-0a9c-509f-a709-1a9f3e9d96ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154840Z", "creation_date": "2026-03-23T11:45:31.154842Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154847Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d6607075c558ba471c6678c1bca63a601cfc8319f6ed99d21fefe37467670097", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "09f60b6a-f763-592b-afee-9c74aa2881fa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495904Z", "creation_date": "2026-03-23T11:45:31.495906Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495911Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ce9c1e9b1126e80b0aa0705ee7ab85052b9397601ad7f9c1c83dff3819caeff", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a0dc9c4-e3f7-5852-898a-c7b6d202e4a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617971Z", "creation_date": "2026-03-23T11:45:29.617973Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617979Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "20dd9542d30174585f2623642c7fbbda84e2347e4365e804e3f3d81f530c4ece", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a1a2d59-132b-5c6b-824f-139e92303293", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611584Z", "creation_date": "2026-03-23T11:45:29.611586Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611591Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "66cc007348a41fb33fab59f5ea265006534ba82db4eb7327039cbe2b4ce7e077", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a2208d9-53d4-5fd5-9e59-9ef6103c2146", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605664Z", "creation_date": "2026-03-23T11:45:29.605666Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605671Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c7e5b25a33a7805c999d318a9523fcae46695a89f55bbdb8bb9087360323dfc", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a22df87-9594-59c1-ac75-befa3c6bf7dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156038Z", "creation_date": "2026-03-23T11:45:31.156040Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156045Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9f42d07ed108ef9de0b48f2bfd0f2d427d9c5241873447167744ff3b7472449a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a22f1b9-9f22-58cd-a12c-a219038f8d59", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615765Z", "creation_date": "2026-03-23T11:45:29.615767Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615772Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f8ffb8a23be71c26f784905110b7e752473be55216300d08a83c40c1496fb6c1", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a2ad231-5a70-5535-9ef1-0535e61cc99a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157118Z", "creation_date": "2026-03-23T11:45:31.157120Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157125Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f07b4f831e0d5e9be4c6a9a188ac6a4e3ca45f1abdea83e7480d101774a6a3e7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a3d3ba8-1176-5e41-a0d4-b5b436a54b07", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982414Z", "creation_date": "2026-03-23T11:45:29.982416Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982421Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a2b0b2e9e458016b22ebbf47411008f0a87efd9103b125870ce37246ab5bdff0", "comment": "Vulnerable Kernel Driver (aka aswVmm.sys) [https://www.loldrivers.io/drivers/a845a05c-5357-4b78-9783-16b4d34b2cb0/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a4fe9b3-0c6b-55d4-adf4-fbfa1f735f13", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825593Z", "creation_date": "2026-03-23T11:45:31.825595Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825600Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ec3003c1ace455256ab24047d65f50436268e6a1f9ed7f1058a3ee77672a21f8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a529ee2-9b47-597d-a1a2-9fb14b7e6ea5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477708Z", "creation_date": "2026-03-23T11:45:31.477712Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477723Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee55d61ce6082a9f8ff1e8e9fe83e1b52890d59260a12edcb44afb3a5250a537", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a54338d-758c-5467-b153-dd1318ccdc80", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981402Z", "creation_date": "2026-03-23T11:45:29.981404Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981410Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cf66fcbcb8b2ea7fb4398f398b7480c50f6a451b51367718c36330182c1bb496", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a5abda5-9e61-552f-aaba-fe7d2289d432", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608223Z", "creation_date": "2026-03-23T11:45:29.608228Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608233Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8f17b59039d2d47d6c653a7abce7b4b24e20e5501ac9fb1ec6893873f4cf006e", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a5b7f1c-051b-5d2d-ad3c-5b4c4fad75e8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823851Z", "creation_date": "2026-03-23T11:45:31.823853Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823859Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1cb5cd25ba016bb5aa00c045dd437332fa72994054c106ea0e259ce5ab25a9e1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a5c4486-23c5-59d6-a877-eda5c41e6614", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453011Z", "creation_date": "2026-03-23T11:45:30.453014Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453023Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e728b259113d772b4e96466ab8fe18980f37c36f187b286361c852bd88101717", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a5feb19-4a14-5a6e-bce6-f04a61b1fc5d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491849Z", "creation_date": "2026-03-23T11:45:31.491851Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491856Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "624168346c02a53d6ca4dcd027538f26dab8e065511538d2c935e67ce72aa111", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a65c004-7909-54ea-9757-9f2ee1cac567", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142506Z", "creation_date": "2026-03-23T11:45:31.142508Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142514Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "921f3df0ae9e95f2195ee2dd2ef21d044e63ade12c1ad494378e6f3b55793402", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a70c169-f44e-57ce-aecd-8a29585ea16e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144129Z", "creation_date": "2026-03-23T11:45:32.144131Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144136Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "94b87b1cdaf1d86c2bc4eacef45608d0f16fdd3b981b88cdddc16b6bc64fe25d", "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a70e384-b711-5965-88f3-cf3e71c5f093", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820513Z", "creation_date": "2026-03-23T11:45:30.820515Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820520Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c3db6290145dc8905c0f97e218e0ef071f435a6ffaf1ed4c0699605d9a540038", "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a7c82e3-b069-5c07-a04f-4d2c35bc2aa9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475730Z", "creation_date": "2026-03-23T11:45:30.475744Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475753Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d16a59cd7c52d1d32bb43670cdca739aadb19ba15996bac62071845e1bfbdb95", "comment": "Malicious Kernel Driver (aka wfshbr64.sys) [https://www.loldrivers.io/drivers/ddf661c0-7dfc-4c26-89c5-00cd6a81a139/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a8b0cc6-e401-55af-921d-57af9a41fdc0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826407Z", "creation_date": "2026-03-23T11:45:30.826409Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826415Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1a5825678ad989a0a02642a001aad3504e2487e0b88c836327ff56d7f9c9ea49", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a8bbc39-5a9b-53bc-ab72-0d678e4cf286", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453783Z", "creation_date": "2026-03-23T11:45:30.453787Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453796Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "16e924aa8ced646c2ee99602b523f511ea386b78ed78a3d265a560fb64e88ee3", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a90a483-aa0c-51e0-8d2d-a9878fe0399b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809990Z", "creation_date": "2026-03-23T11:45:31.809993Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809999Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d512fe03a7722259d0c3b23db809c2c2c4dc8dfc2ac2ec9a2d49447c875e6d58", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0a95640b-f703-529f-b9c6-06da7973b899", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985008Z", "creation_date": "2026-03-23T11:45:29.985010Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985016Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "80cbba9f404df3e642f22c476664d63d7c229d45d34f5cd0e19c65eb41becec3", "comment": "Dangerous Physmem Kernel Driver (aka Dh_Kernel.Sys) [https://www.loldrivers.io/drivers/dfce8b0f-d857-4808-80ef-61273c7a4183/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0aacd36d-1371-50a7-b3cc-683dfacd1166", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619456Z", "creation_date": "2026-03-23T11:45:29.619458Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619464Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1044ea40d459fe4c619a44afe53e6ff5a9cc5a37cf568d974ae23ed62da58759", "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0aae4fa0-32fa-53f6-97b5-020c5cc7aa11", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977171Z", "creation_date": "2026-03-23T11:45:29.977173Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977179Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f4c7e94a7c2e49b130671b573a9e4ff4527a777978f371c659c3f97c14d126de", "comment": "ASUS vulnerable VGA Kernel Mode Driver (aka EIO.sys) [https://www.loldrivers.io/drivers/f654ad84-c61d-477c-a0b2-d153b927dfcc/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ab1e3ae-62ad-5cb0-969f-d240a36e541c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459957Z", "creation_date": "2026-03-23T11:45:30.459960Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459969Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "07fb2bb6c852f6a6fe982b2232f047e167be39738bac26806ffe0927ba873756", "comment": "Vulnerable Kernel Driver (aka LgDataCatcher.sys) [https://www.loldrivers.io/drivers/5961e133-ccc3-4530-8f4f-5d975c41028d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ab44ddc-9a3e-569c-aca9-f2bf35d24ca3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478192Z", "creation_date": "2026-03-23T11:45:30.478195Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478204Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5504258361f72faa2b35b15e0fd9edbcbcc30a4d99ef68a7805898cf75d8c809", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0abbcaed-d0c2-5422-a3b5-764e3ae004bd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978958Z", "creation_date": "2026-03-23T11:45:29.978960Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978966Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7ff8fe4c220cf6416984b70a7e272006a018e5662da3cedc2a88efeb6411b4a4", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0abc5513-cce1-5994-95b2-8ef1fd4f3de5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480046Z", "creation_date": "2026-03-23T11:45:30.480048Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480053Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ce0a4430d090ba2f1b46abeaae0cb5fd176ac39a236888fa363bf6f9fd6036d9", "comment": "Vulnerable Kernel Driver (aka iscflashx64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0abdc52b-4524-5d86-b58e-61d691799b48", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453941Z", "creation_date": "2026-03-23T11:45:30.453952Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453961Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d5b270ac8ca4f87ba51eafb3b28102875bdbdde0f15520ec0a629d8a898c0b2e", "comment": "Malicious Kernel Driver (aka 4118b86e490aed091b1a219dba45f332.sys) [https://www.loldrivers.io/drivers/b32d8d7d-0dc2-4d09-a306-8efc4caf1839/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0abe08e4-bbe8-598b-b0a7-d01a839cefc7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143169Z", "creation_date": "2026-03-23T11:45:32.143171Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143176Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f8168036d636aad1680dd0f577ef9532dbb2dad3591d63e752b0ba3ee6fd501", "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0abf7a43-0d01-5c5f-a670-01e7b01178cd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967232Z", "creation_date": "2026-03-23T11:45:29.967236Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967244Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8249e9c0ac0840a36d9a5b9ff3e217198a2f533159acd4bf3d9b0132cc079870", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ace242c-c291-52c6-9218-eb4d05d0d23c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141681Z", "creation_date": "2026-03-23T11:45:31.141683Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141688Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "13bce760077e9171b9ce3c04ecf999178cca7456cacb30ae70e2f0da2939e33c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0acf925f-7b9c-5aae-a581-8e4d8374d790", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143999Z", "creation_date": "2026-03-23T11:45:32.144001Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144007Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "090d409f86430e078694e621ad0bd5e458d32aa727f0eb99bda3961577df8d49", "comment": "Malicious Kernel Driver (aka driver_090d409f.sys) [https://www.loldrivers.io/drivers/00561455-9da1-4f0c-8564-e4c99b716a74/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ad25de3-42e4-5165-9468-25555dfb14c9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809831Z", "creation_date": "2026-03-23T11:45:31.809833Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809839Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d6fcd8ceb13d79b67277a41a45e0af208e8d3763c611f647e054921644627ea", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ada5fdd-b556-574e-894d-d4e0dc321647", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485384Z", "creation_date": "2026-03-23T11:45:31.485388Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485398Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "41288baa8b002a997eee958b0bc3f4d1811e8b29befd4d5d694ad7e7cca62ccf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0adad9df-2fdc-5bb9-a33e-e291c3cee407", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827452Z", "creation_date": "2026-03-23T11:45:30.827454Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827460Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "43ed5171b0881504a3d6338d3edddc3fa5b3b64362433be60168be42595f2b8c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0af681cf-ec70-55d6-b437-484ffe78d7a6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473446Z", "creation_date": "2026-03-23T11:45:31.473450Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473459Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a163d95c4e3f7c10b60bb20ef5c8c9c875a022519e68a66a5c0fd7e80f2e0722", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0afa022e-4223-5b3b-9660-cd3a5f1f7eb3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.161092Z", "creation_date": "2026-03-23T11:45:31.161095Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.161100Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "070c0221df7c5b6ecee15d8e4a354eac6f793bf3a49be4cd7f3eb739a140926b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0afebba7-2d4f-5a81-850b-5fe7c4829b83", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977764Z", "creation_date": "2026-03-23T11:45:29.977766Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977772Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c54ffa9a32cd99972ca905dcf99e20f8429e3cfd45bc1ddf4f9af8b3ed688c88", "comment": "Vulnerable Kernel Driver (aka Lv561av.sys) [https://www.loldrivers.io/drivers/47a351ee-8abe-40d8-bc2b-557390fa0945/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b0190e6-fdc3-58cf-8c99-9d7173a082fa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980935Z", "creation_date": "2026-03-23T11:45:29.980937Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980948Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0a9b608461d55815e99700607a52fbdb7d598f968126d38e10cc4293ac4b1ad8", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b09e8b3-3288-533e-ad58-46806cdce39b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470311Z", "creation_date": "2026-03-23T11:45:30.470314Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470323Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "09d6169da055725274a8c53c3139baff8ceef52346e5a910e735bb17f634f8bb", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b1c2827-3bb4-54db-ac4e-7ed3fb6a3c55", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495836Z", "creation_date": "2026-03-23T11:45:31.495838Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495843Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d705fe962d99b56b8e2c9ceea176a6c78dbf609989a620a44bb3c17df8df8c0d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b1eae1c-6d25-5365-a14f-907dd470526f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968078Z", "creation_date": "2026-03-23T11:45:29.968080Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968085Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8abf744f0cbf09d67afc5b7cc9d613e69c73a5c8a45bcd26cf6bcfd03c3515ac", "comment": "Projector Rootkit malicious drivers (aka KB_VRX_deviced.sys) [https://twitter.com/struppigel/status/1551503748601729025] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b2286d0-418d-5bef-a6b6-3b1a4ffc4cda", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809813Z", "creation_date": "2026-03-23T11:45:31.809815Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809821Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3bcdbdcb40b10886b8357d0e92eb9c8ecc9ad35db08fc372dfdee1e743f31eff", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b257322-3d83-521c-9c94-62f931995649", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143130Z", "creation_date": "2026-03-23T11:45:31.143132Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143138Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "91163c36f5c9baa0b832df6a9ca6577b2745f482e3a3bae520cf963de493acc8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b29ef05-d328-55a3-8939-f2220f879c94", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140583Z", "creation_date": "2026-03-23T11:45:31.140585Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140590Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0edfecc24165a608260dd483d90d59aab016649b3f8f95131a8c8fa88e73a684", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b2ac80c-e48a-5648-9b83-4978eff47b70", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822354Z", "creation_date": "2026-03-23T11:45:30.822356Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822362Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0c66ca63774f8aa697fe172233283af90db88902204524294a4df212f9f0b949", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b34bcaf-45c1-5483-8b40-d62dcdfc863c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492108Z", "creation_date": "2026-03-23T11:45:31.492110Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492116Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1292bcc9b02ffd3bd50e50873728c4dbe7278049e2d88cd33b845cefe50bfa3c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b378e92-55e2-5e54-b225-e15718223b8e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830293Z", "creation_date": "2026-03-23T11:45:31.830297Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830305Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "62ede8393d076d04257526c70849b3fffac66ce9c2ffc038ba3b5f653abd93a2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b3c41bc-7e47-5676-bfed-d1ed6e285ed4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613171Z", "creation_date": "2026-03-23T11:45:29.613173Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613178Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d12acedc9a2702a18499b77dc8ae9e6b2d1eb557eb08c8a14b2ab3a984edec01", "comment": "ASUS vulnerable UEFI Update Driver (aka AsUpIO64.sys and GVCIDrv64.sys) [https://codeinsecurity.wordpress.com/2016/06/12/asus-uefi-update-driver-physical-memory-readwrite/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b3c54cb-b19a-52fd-bceb-fe9d8fbf083e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612368Z", "creation_date": "2026-03-23T11:45:29.612370Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612375Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "31d8fc6f5fb837d5eb29db828d13ba8ee11867d86a90b2c2483a578e1d0ec43a", "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b3de5da-6942-5a18-91e4-31fd0de4542f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967900Z", "creation_date": "2026-03-23T11:45:29.967902Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967909Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2d88ac88c0fd37bc34bf547479c226abc8bff1e9e82588a42dbad36ff69c980d", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b442084-73b1-533d-a7e6-49fa95e46d73", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975308Z", "creation_date": "2026-03-23T11:45:29.975310Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975315Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab1c74ed1ea4fc7a613aa22fd87ee4251ede260862fdebde2d7d2f00c0f23371", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b496ac3-07f3-5422-9d48-7b2dc469dde7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458279Z", "creation_date": "2026-03-23T11:45:30.458282Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458300Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a855b6ec385b3369c547a3c54e88a013dd028865aba0f3f08be84cdcbaa9a0f6", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b4c456b-aaec-5bd3-adb1-35e2ea7e8d4d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612753Z", "creation_date": "2026-03-23T11:45:29.612755Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612760Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18bea05d56bcbc0e23663db9b6dc79d9db3a218e711415a1e420dea2e183cb5e", "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b5e4506-210b-50d1-9edc-a3f4e4159ef0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480347Z", "creation_date": "2026-03-23T11:45:30.480351Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480359Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1dcdd1efab9abc25f4227b37f76da295a6dc4cf810875ba34ee1d465eb709b70", "comment": "Vulnerable Kernel Driver (aka GEDevDrvSYS.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b643760-8350-5250-876b-83b16092a7e3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482422Z", "creation_date": "2026-03-23T11:45:31.482426Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482436Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "120150209cbf69e79a5a17336631547b5a19811b2d130672eda29a71d8b51e06", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b6c8931-eb0c-5dd1-a939-2bfcd9ad18c3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488986Z", "creation_date": "2026-03-23T11:45:31.488988Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488993Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "08fe4d58f3ad3b133f61482a79087478fcc5bd67e77d1989bafbeb2c1443ab6f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b7093c7-4b51-59e4-97dc-d52a26e50874", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982607Z", "creation_date": "2026-03-23T11:45:29.982609Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982615Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a", "comment": "Vulnerable Kernel Driver (aka driver7-x86-withoutdbg.sys) [https://www.loldrivers.io/drivers/d9f2c3d6-160c-4eb3-8547-894fcf810342/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b787999-baf3-5e7c-af28-533cea2e959c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620640Z", "creation_date": "2026-03-23T11:45:29.620642Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620648Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "76b86543ce05540048f954fed37bdda66360c4a3ddb8328213d5aef7a960c184", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b83401b-0090-5038-b99c-5f6581974168", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148608Z", "creation_date": "2026-03-23T11:45:31.148610Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148615Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "30a3428361788d8223b799bc246ac924ebcb368ddd50e58b3331815f14bfd581", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b8826cd-ec92-506c-b062-f5eaae80ddb8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834696Z", "creation_date": "2026-03-23T11:45:30.834700Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834709Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "16826601eb8274fbc8d43508f34a68cc68298b2990e507adb1914df21b403674", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b8abb26-a356-59e6-b179-1a80e3357d06", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817644Z", "creation_date": "2026-03-23T11:45:30.817645Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817651Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "163912dfa4ad141e689e1625e994ab7c1f335410ebff0ade86bda3b7cdf6e065", "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0b953ef0-fcbd-5b42-be37-a976e95f67cc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818030Z", "creation_date": "2026-03-23T11:45:31.818034Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818042Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c7d93ea1f42314ccfd60ecacdd7d006a1b6f0db13431bf0484ab1aef67aa2408", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ba7ca57-c00e-571b-9ae4-88ff5300564c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491144Z", "creation_date": "2026-03-23T11:45:31.491147Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491156Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e033951baa8fca27e55a540c993ae0d6ae150f6f674649b94f0167452ced7932", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0bbfe8f1-6074-5c56-83ed-8de5b0a44a50", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826692Z", "creation_date": "2026-03-23T11:45:30.826694Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826700Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6c4ac19ff54da8d0670759be48a3c02face5bb9e8b12a7609f0ef1807b8cfa9f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0bcecd76-6f3e-516f-a64a-f85085c9cf67", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836699Z", "creation_date": "2026-03-23T11:45:30.836701Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836707Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6b8b754f5f1c00cc3eaa66baed4767317ab34054a36234c8a0c83f5e7422142e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0bd576e8-30c8-5d8a-93f2-e89522cd2997", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836082Z", "creation_date": "2026-03-23T11:45:30.836084Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836215Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1de4ea34aa10a60b0d6aec02ec57fa77ad2a30a43713d0bed7b5e375f86ddb2f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0bd98ca3-8332-56e1-bae4-5fb35398f0e1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604735Z", "creation_date": "2026-03-23T11:45:29.604737Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604742Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "220a2dcf4d597f9208c0e7fd7057a91e88e118d420f20aac8e75ae3e39a7ac22", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0be91fa1-80df-5fcd-bc4c-98dfd1c72bdb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983755Z", "creation_date": "2026-03-23T11:45:29.983757Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983762Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3a5ec83fe670e5e23aef3afa0a7241053f5b6be5e6ca01766d6b5f9177183c25", "comment": "Vulnerable Kernel Driver (aka GLCKIO2.sys) [https://www.loldrivers.io/drivers/52ded752-2708-499e-8f37-98e4a9adc23c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0bf30aba-72dc-5acc-a9ee-982a4c02db63", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457861Z", "creation_date": "2026-03-23T11:45:30.457864Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457885Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a495ffa623a5220179b0dd519935e255dd6910b7b7bc3d68906528496561ff53", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0bf87bc2-faab-5c3d-aaea-376393799767", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154553Z", "creation_date": "2026-03-23T11:45:31.154555Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154560Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47e207fced7565ccf0f6c03359babd671b65b67c336ae642f37c60bc363aa0ce", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0bfa33b5-746c-5e84-afd7-857dbaa86431", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494053Z", "creation_date": "2026-03-23T11:45:31.494057Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494066Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a3837e6bb4c2d6083895ba1a7df22bd8241b346a1e726b51b99e8d7e8ddd7cd8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0bfd4c23-9c36-5728-a55a-8ba59d5ea79b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616023Z", "creation_date": "2026-03-23T11:45:29.616026Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616032Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c4031eb0a40137c4ab6d2dbdd2755135c63ab137a0aeb74a7bbea6617b96f0a7", "comment": "TOSHIBA BIOs update vulnerable driver (aka NCHGBIOS2x64.SYS) [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c01846a-3edd-546e-aa57-7fecce8e3ccb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824269Z", "creation_date": "2026-03-23T11:45:31.824272Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824280Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c42e2c89f5c6a0cb91903b2549f4a5aa109f732679db26c6b247ca7075fba144", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c035560-db45-5491-803c-c84398f94958", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809081Z", "creation_date": "2026-03-23T11:45:31.809083Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809089Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1272c192e229d867f524ee124a91ec81a472944f732aaf3d85ee8c6adafb2d90", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c078c97-2f90-5ded-89dc-e2a9e8725877", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460956Z", "creation_date": "2026-03-23T11:45:30.460959Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460968Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7fc01f25c4c18a6c539cda38fdbf34b2ff02a15ffd1d93a7215e1f48f76fb3be", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c0f8d5c-8ef9-5233-b4f5-2a1f371a09f5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817232Z", "creation_date": "2026-03-23T11:45:30.817234Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817240Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "49ae47b6b4d5e1b791b89e0395659d42a29a79c3e6ec52cbfcb9f9cef857a9dd", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c10ce36-7342-5a8e-869b-015fa2183743", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822291Z", "creation_date": "2026-03-23T11:45:31.822293Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822298Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "88cf314dbfc8b2b83f07cd8c381b9f2761b6a229392cca33a4104ce8973d204b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c1de15c-e502-57a7-a78b-a4536695b801", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611515Z", "creation_date": "2026-03-23T11:45:29.611517Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611522Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "94f39e23194d01698b2d8e7bb1c212bf192e81df59766d4adf5f7e33bbe13181", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c24fe95-5f55-5133-8f41-ced83456dcc0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.478943Z", "creation_date": "2026-03-23T11:45:31.478955Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.478965Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "963bf7142b9023687b95016e5a182a114acb16ed9860c1b4d3f5865226671805", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c436b7c-deb5-5a7e-9800-4692b4497446", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149033Z", "creation_date": "2026-03-23T11:45:31.149036Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149045Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bf943d2b77401c33550d46acc310c044eb8194332cb8c7ed07999ba8a02b9929", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c4672ee-de17-5b12-a783-addd9ac07e7f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821023Z", "creation_date": "2026-03-23T11:45:31.821026Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821035Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7c27b79d4c1da8295b19c8375ca80875206d516010ff4112bdf30ae14763f84e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c4d7fa4-db63-5a10-8970-9ffa11c9b446", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817533Z", "creation_date": "2026-03-23T11:45:31.817535Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817541Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6a0775d18fc9a3b24793b0f9d38a5dfc247efaad75bd335c4e543b4f55ba16ac", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c53e645-593e-540d-8075-22c161acbb57", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609902Z", "creation_date": "2026-03-23T11:45:29.609904Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609910Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7b68763c39b45534854ec382434fd5a9640942c1f7393857af642ee327d4c570", "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c56d84b-293a-5505-a48d-9bf14fd51663", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828578Z", "creation_date": "2026-03-23T11:45:30.828580Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828585Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "71724e2bd0c52ee13f77557b68cd7a8a4bc3d345bf0d6aa9653cc2102c8d10ec", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c5dba18-ed87-59d8-a37e-48202e9c6c1b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607918Z", "creation_date": "2026-03-23T11:45:29.607920Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607925Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "53eaefba7e7dca9ab74e385abf18762f9f1aa51594e7f7db5ba612d6c787dd7e", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c5dfaa5-bc6f-5bc1-8f1d-59e2c7afa09e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461353Z", "creation_date": "2026-03-23T11:45:30.461356Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461365Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8f8956abdeb2a52be2cc514790a737a0ad39a9e698a77c1f358e77f1bf9f180b", "comment": "Vulnerable Kernel Driver (aka sfdrvx64.sys) [https://www.loldrivers.io/drivers/5a03dc5a-115d-4d6f-b5b5-685f4c014a69/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c622c91-3e05-5868-8ffd-17da64ea8a0e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827291Z", "creation_date": "2026-03-23T11:45:30.827293Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827299Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd502981546c9a28914b3a786172c5bd3945c1995dd4c34f251cb0d1d2ddc97e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c6ada67-55fc-550d-b7b1-782a5b1b72c6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817169Z", "creation_date": "2026-03-23T11:45:31.817171Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817177Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "72b6c0305d2d264b0acf9caed51a831ca3916c958ede5c32018410a550376d8a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c6f8bc1-d255-5994-a459-a74a81a0e8b4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488793Z", "creation_date": "2026-03-23T11:45:31.488795Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488801Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c06c78644bb55d97c74a4763c8f4889928b0e149877369b1bf8d801a660694d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c6fbdc8-d550-5eeb-aa66-85cc232090ae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474347Z", "creation_date": "2026-03-23T11:45:31.474350Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474358Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fe60f9bab775440a560b122a53102527bdf4573bd94c0de84de986e76991ab08", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c87d2c0-e3ad-51c9-9ba6-7ea2b5859cbf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821162Z", "creation_date": "2026-03-23T11:45:30.821166Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821174Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0fc3bc6e81b04dcaa349f59f04d6c85c55a2fea5db8fa0ba53d3096a040ce5a7", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c8fc1a9-2f9a-58cb-b95c-5d44ca101e26", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825780Z", "creation_date": "2026-03-23T11:45:30.825783Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825788Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "85a577c789691e3805667ac56aafcf304230bf3c6885a8ec8392e334cce49cf0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c9084e4-adea-509f-83d0-c60d5376eaab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157530Z", "creation_date": "2026-03-23T11:45:31.157532Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157537Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8a9cd02916a4d08c36c592dce91e5c9e9d35a038fa4b95a6ad22d12800561b06", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0c976206-4181-5931-9267-3ab23140185f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488099Z", "creation_date": "2026-03-23T11:45:31.488101Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488106Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7c0899364deaa8fd14bfd9a2bb8669b0dd586e5cff00568f9d36d731228f5579", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ca11f8f-872d-5ec8-a8df-724150f08f59", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455192Z", "creation_date": "2026-03-23T11:45:30.455195Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455204Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b430d3a0bdb837a5d6625d3b1cef07abd1953f969869ff6cf7ba398ae605431a", "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ca331fe-0162-5cd9-87fd-5134e606007a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472274Z", "creation_date": "2026-03-23T11:45:30.472278Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472287Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "572c545b5a95d3f4d8c9808ebeff23f3c62ed41910eb162343dd5338e2d6b0b4", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0caa0fc2-1ba8-51df-a23d-94a19eccd905", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827907Z", "creation_date": "2026-03-23T11:45:31.827909Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827917Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9f87173cf9fcab276073fbfd6b27a424dd09d8411dbba87cf6ba3374f1b19efe", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0cae90df-b4a9-5c34-abbb-6d1df609dc5a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829272Z", "creation_date": "2026-03-23T11:45:31.829275Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829284Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "521b2e2f677df0224e3c0ccc829b2c71299058b5ea88c9b00ca6c3fdd622698d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0cb8c1a7-0921-531f-9df9-876ec067d8b3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828102Z", "creation_date": "2026-03-23T11:45:30.828104Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828109Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7e88722b68e9fe0c7676aecc6829b9873b43d9b76e49d7678301891b6d6ecb35", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0cbddf44-5dd5-5c60-a65e-0601b365806b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141594Z", "creation_date": "2026-03-23T11:45:31.141596Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141601Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "83278f083a9773ac1bad4f31363fed125e14528bdea0f941e5efd3dc1cb51c17", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0cc21fb6-22ac-53fe-8e71-fa1adeaf48b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828065Z", "creation_date": "2026-03-23T11:45:30.828068Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828073Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8fc9a091c3dc6e053e044038f24bbc16028078c0fa40c5be19cbfb3ed81ea16d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0cc3ff37-e564-5db1-b054-e0be9e33e07f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461183Z", "creation_date": "2026-03-23T11:45:30.461186Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461194Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0bd1523a68900b80ed1bccb967643525cca55d4ff4622d0128913690e6bb619e", "comment": "Vulnerable Kernel Driver (aka sfdrvx32.sys) [https://www.loldrivers.io/drivers/6c0c60f0-895d-428a-a8ae-e10390bceb12/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0cd288f8-70ff-560b-ac35-4b100e2a215a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465170Z", "creation_date": "2026-03-23T11:45:30.465173Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465181Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2fd43a749b5040ebfafd7cdbd088e27ef44341d121f313515ebde460bf3aaa21", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0cd50bf2-4433-5da8-8cc2-19f116b57fbf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808155Z", "creation_date": "2026-03-23T11:45:31.808158Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808165Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "355668540e0dd71fe784452303f8e45e27fc4820720eb934ff6851089967dea0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ced8c16-4c62-551e-8e0a-4711dd9d272a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605004Z", "creation_date": "2026-03-23T11:45:29.605006Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605011Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a943b358313881effa1cfd88c1755901a09596bf0e5423bf79e37b013d3fa534", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0cefec22-73e9-5321-b773-3e194a5ae513", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481694Z", "creation_date": "2026-03-23T11:45:30.481696Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481702Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f46c524b79b9b1eb7efd5275dd1604de94560b52edca70ba4e47037f4b55da47", "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0d02bffe-47d2-5bc1-b232-1d56f99874eb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155859Z", "creation_date": "2026-03-23T11:45:31.155861Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155867Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b5f47ee3e3e18fc5275089a706f1c1a36eaec4a7409c973e988bf1d4a82a69b2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0d0570c5-89e1-51d0-803e-84ca6f953171", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455583Z", "creation_date": "2026-03-23T11:45:30.455586Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455595Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7125c9831a52d89d3d59fb28043b67fbe0068d69732da006fabb95550d1fa730", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0d0733d4-e9d1-5db6-81c1-6133768502e0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493469Z", "creation_date": "2026-03-23T11:45:31.493470Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493476Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "41d956f4ca7b9e152f56279263921e933976ccf68a50d67acb17ebb4d5de13e6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0d195ab8-bde3-5581-9bb7-c1b87771c7a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971890Z", "creation_date": "2026-03-23T11:45:29.971892Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971898Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4d0580c20c1ba74cf90d44c82d040f0039542eea96e4bbff3996e6760f457cee", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0d1e1c6d-ad40-5731-b19d-56da38105451", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979376Z", "creation_date": "2026-03-23T11:45:29.979378Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979384Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0d22072f-e246-5353-98f4-295da2d365d3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610863Z", "creation_date": "2026-03-23T11:45:29.610865Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610888Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f74ffd6916333662900cbecb90aca2d6475a714ce410adf9c5c3264abbe5732c", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0d5f732a-c3a1-56c0-ac93-907e27a780ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144164Z", "creation_date": "2026-03-23T11:45:32.144167Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144176Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4421ff85aacbcc36695a018c5c47e884d56d62d7d5b8172bb70384ffc4d6a2e4", "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0d630ebb-7662-536e-954f-952943480618", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824536Z", "creation_date": "2026-03-23T11:45:30.824540Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824547Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ebb1ec918e1cfb6f9b3e93f0a60f0db48b7aea59810a4f31cf26ab118cd988d7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0d63a7aa-64b4-525b-ba91-6f1d4ee8165a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479505Z", "creation_date": "2026-03-23T11:45:31.479509Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479519Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9a1caec70d9dad22668bdddbe246c9b30c2ed79477726a361da7701385d4d09b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0d65e827-a375-5c6d-bb1f-42dc8ee08c58", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828252Z", "creation_date": "2026-03-23T11:45:31.828255Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828263Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8d67f261038e85da36d146f7c024e10d13fcee24f5d033600791ea63bde0c5a2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0d759d9d-d434-57fc-b96d-65d0206e6165", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827326Z", "creation_date": "2026-03-23T11:45:30.827328Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827334Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a38b669c7f300abe26a58a6f4659534807f54ea885f27debcc4daba8cea9ace1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0d7a363f-5f96-5f3b-a865-87c6a04a4378", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817268Z", "creation_date": "2026-03-23T11:45:30.817270Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817276Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "129bfa559bde499f748cffc218f2b7ec4b22ee3114ceae8e386fbbe4e58e4523", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0d7e5698-f590-5c82-a080-152bec8d3aae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151003Z", "creation_date": "2026-03-23T11:45:31.151005Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151010Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "58bb0343ba788e72c723014cbea43820b05159be07b903a6c97ee426bdce753f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0d86b900-97bc-56ec-8868-e4fdfa13539c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146796Z", "creation_date": "2026-03-23T11:45:31.146797Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146803Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "45c4998d19df334deff602a8596ad512bee00f5e536fb91dc87d5337646a3638", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0d89a721-68f1-5bda-9794-721b19291e3d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152857Z", "creation_date": "2026-03-23T11:45:31.152860Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152883Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a0fa17d520322412e349284f172fa0f13ca4ef58956e00d367fd0bfabe18c2ca", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0d920d27-cc58-5646-b70e-d907d093ae5d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154169Z", "creation_date": "2026-03-23T11:45:31.154171Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154176Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c3060d8b89d166ce600f28b9a403a70544adf108b0e2c3e09692c810023e879", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0d9854a2-a760-588e-8af2-8c2463967084", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824403Z", "creation_date": "2026-03-23T11:45:30.824405Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824411Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9e15e71021dc3bc0ccf6a0ad825d004b42feea9cf1c0f3d8510edfa26dce2ee5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0d9e5653-e538-57b2-aba0-26a0c34f14e3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.986154Z", "creation_date": "2026-03-23T11:45:29.986156Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.986165Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "43b7715e38449bf82ad0bb6b11d03da42150c1ee23148c5f396cc4ab1001622d", "comment": "Vulnerable Kernel Driver (aka directio.sys) [https://www.loldrivers.io/drivers/a2c3f6e9-25a5-4b75-8c6b-ad2d4e155822/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0dbf5b7f-cd7d-5a8a-9f3c-9e6d2901c2b3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495604Z", "creation_date": "2026-03-23T11:45:31.495607Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495616Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8461e722353e4ca2ff34fbef078c850c16498ed7a6d7581f20ee421584010f70", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0dc1c543-d24e-5c3f-b42b-1a6bb7c2cbe4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.815785Z", "creation_date": "2026-03-23T11:45:30.815787Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.815793Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "17942865680bd3d6e6633c90cc4bd692ae0951a8589dbe103c1e293b3067344d", "comment": "Vulnerable Kernel Driver (aka FPCIE2COM.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0dd17a6f-ac8c-50b8-b91a-95255e0eb552", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472433Z", "creation_date": "2026-03-23T11:45:30.472436Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472446Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e51ec2876af3c9c3f1563987a9a35a10f091ea25ede16b1a34ba2648c53e9dfc", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ddb945b-8a83-5c19-a6e8-2fcc0b6cd4be", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971802Z", "creation_date": "2026-03-23T11:45:29.971804Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971810Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "23ab90e1990b4c5250f7bacbc7ff90e989583a2ccacf4ba333255f1d385d0ad8", "comment": "PowerTool Hacktool malicious driver (aka kEvP64.sys) [https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HackTool.Win64.ToolPow.A/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0dde037c-0457-5836-a6be-ec538971fcff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820567Z", "creation_date": "2026-03-23T11:45:31.820569Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820575Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a34ccbaf4dfd2dd8c97d5d346abf177e7b1a5d97d462053eae75bc53f48b949b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ddf9429-89f6-57e3-b49c-dbe3f4711d32", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607012Z", "creation_date": "2026-03-23T11:45:29.607014Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607019Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19d579e5a08bcb524405bdcbd2ea7247548af9f23ce64582a5be5ae3f184ad23", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0de38a08-7c51-5dfe-afc0-72ab6e44b7f2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456624Z", "creation_date": "2026-03-23T11:45:30.456627Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456636Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "507724d96a54f3e45c16a065bf38ae82a9b80d07096a461068a701cae0c1cf29", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0de8afcf-6164-5207-972e-316b527d0aca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820685Z", "creation_date": "2026-03-23T11:45:30.820687Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820692Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "07d0090c76155318e78a676e2f8af1500c20aaa1e84f047c674d5f990f5a09c8", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0de8dc3b-7182-5698-a360-0dd92ddb48d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985612Z", "creation_date": "2026-03-23T11:45:29.985614Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985619Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "92f9d73cec5ab3352c4b3cbf4574d13b2e506cba24cc74580e19e941063eaf7d", "comment": "Vulnerable Kernel Driver (aka echo_driver.sys) [https://ioctl.fail/echo-ac-writeup/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0df226fe-4357-5400-b1c3-18658b719d53", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481358Z", "creation_date": "2026-03-23T11:45:31.481362Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481372Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eba7f6ae36e0aaa7ade176acf1af218739dbf6c6a25a56e6b5ced1567a3f6db5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0df3d649-ac45-5a8c-8ce2-f59b43232a69", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495310Z", "creation_date": "2026-03-23T11:45:31.495313Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495322Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "03eb25b9ffd3d58bb6f6c29d38697839ca871dfa211e42dddb19c6a84ec395f1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0df92180-5030-59d9-8fda-83d0caeca6f6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610563Z", "creation_date": "2026-03-23T11:45:29.610565Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610571Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8688e43d94b41eeca2ed458b8fc0d02f74696a918e375ecd3842d8627e7a8f2b", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0df9b8a5-4ddb-53ac-9b47-ec96b018b630", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826281Z", "creation_date": "2026-03-23T11:45:30.826283Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826289Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b4876c029a6c88d98090beabfd5f6e1e5186824280224dc5178ad07427d737d1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0e04109e-55bb-5a15-aadb-805874a76252", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151108Z", "creation_date": "2026-03-23T11:45:31.151110Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151116Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "99d42356eba7c7b6ee35797ee093d629649bd73dab14944f59ca89f354053c8d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0e1ee81a-59b9-5759-b6dc-29932b4396f7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606386Z", "creation_date": "2026-03-23T11:45:29.606388Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606393Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6222ed7d921b84e4ffcfa6638861348033191a3cc350547f7dcfb8927040f0a4", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0e3c2ad0-8fd5-58f1-bc1d-8af917413301", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477391Z", "creation_date": "2026-03-23T11:45:30.477395Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477414Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "98ec7cc994d26699f5d26103a0aeb361128cff3c2c4d624fc99126540e23e97e", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0e40e719-43f6-5139-9eea-7d3e975cbc0a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606060Z", "creation_date": "2026-03-23T11:45:29.606062Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606068Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3ff39728f1c11d1108f65ec5eb3d722fd1a1279c530d79712e0d32b34880baaa", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0e41b11a-7f28-55f4-af45-6f7eaa96ab8d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824886Z", "creation_date": "2026-03-23T11:45:30.824890Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824899Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "178238d8a0b3e642aaafc2217cac9c9277420b2ef2b16302d10b7952b8054799", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0e41fa7f-745a-5eaf-8a82-37c3b507223c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481658Z", "creation_date": "2026-03-23T11:45:30.481660Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481666Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "42b528fdde50a21afed0cbdc07a6cb9d22d421eb0228d4782f18d22a83873223", "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0e47cb8c-109e-5b59-bfae-ff4fd123196c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497707Z", "creation_date": "2026-03-23T11:45:31.497709Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497715Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "91808676497a3475557879cb44eda3e252f5170385e37c476629652324b9a512", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0e4f2091-7067-5399-a99a-0a5443a242f4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465985Z", "creation_date": "2026-03-23T11:45:30.465988Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465998Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0740359baef32cbb0b14a9d1bd3499ea2e770ff9b1c85898cfac8fd9aca4fa39", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0e50c0b4-20e2-59d7-972f-12543adfa566", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828401Z", "creation_date": "2026-03-23T11:45:30.828403Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828409Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c9e21c38488850dada38cc727028ed84d56192003eac34ed12f59a389d30a3fd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0e541cd8-42be-5369-a6cf-bbc721b0f5a4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813088Z", "creation_date": "2026-03-23T11:45:31.813091Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813100Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "91d8852011e6fc1a8ef8221a02357ce09f073d667d8eab9af269c5e22e7b1386", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0e646631-85aa-54bf-87ae-4ccab2e177ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142220Z", "creation_date": "2026-03-23T11:45:31.142222Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142228Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "624ccf6b462b82f89a8736f3269b57114ddaf714f809736c9962db06a17b6ce3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0e6a6826-16d4-5870-9dfc-6aa6a1c7eda4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607346Z", "creation_date": "2026-03-23T11:45:29.607348Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607353Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "df0cc4e5c9802f8edaefeb130e375cad56b2c5490d8ebd77d8dbdcc6fdc7ecb6", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0e6d7ecc-6ae1-5154-822e-04c4442a1fa3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808742Z", "creation_date": "2026-03-23T11:45:31.808745Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808750Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dfafcdb644b4c02b78eaef05a352b824cad60c36f118bcb00fb3e3a9fdc8b60d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0e6e2165-8dcf-56f9-99f0-b2da2e98b27c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455332Z", "creation_date": "2026-03-23T11:45:30.455335Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455344Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b26c4678ecd37d1829513f41ff9e9df9ef1d1d6fea9e3d477353c90cc915291", "comment": "Vulnerable Kernel Driver (aka VBoxUSB.Sys) [https://www.loldrivers.io/drivers/70fa8606-c147-4c40-8b7a-980290075327/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0e73eafa-a53a-5ef0-85ba-a6998bac0c9c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981472Z", "creation_date": "2026-03-23T11:45:29.981474Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981479Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "edfc38f91b5e198f3bf80ef6dcaebb5e86963936bcd2e5280088ca90d6998b8c", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0e85c7b8-e01f-5040-b48d-d58998131d7c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608051Z", "creation_date": "2026-03-23T11:45:29.608053Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608058Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c9829a16eb85272b0e1a2917feffaab8ddb23e633b168b389669339a0cee0b5", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0e90f41d-55ed-5471-9feb-c20b9523d797", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829211Z", "creation_date": "2026-03-23T11:45:31.829214Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829224Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f35f07641f662583754d8a1ad1a457c438cc6901ae9be6d4225f61e8c1c2d0cd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0e912366-051c-56f7-93e4-fdbb0e28d490", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829610Z", "creation_date": "2026-03-23T11:45:31.829612Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829618Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e9d032fc15f52433c9a7b5c079bcb110d61c87b004111617694221a58c6a98e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0e9e4053-9826-50b4-8a0e-495383ba544a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835892Z", "creation_date": "2026-03-23T11:45:30.835894Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835900Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "868ffecf2f6ab6e58385d83429b014bd3214ff51393caa1dd1cb39719fc9183e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ea1c3fd-b768-5c58-af3d-397e1a10095b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490332Z", "creation_date": "2026-03-23T11:45:31.490334Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490340Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "42ba46e7106efb977fc9c2a4a9859d2fb67168f19608481e93209c5a3516c7ea", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0eb022b3-d37e-5557-8772-fef9681d0723", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975202Z", "creation_date": "2026-03-23T11:45:29.975204Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975209Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd688dc0e5b7b6c5e506c153d4c52ab7023b27a438423ccf77bf61be4d1971b6", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0eb22133-3a01-5ee5-ae44-dce7a2c3aa73", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622776Z", "creation_date": "2026-03-23T11:45:29.622778Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622783Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "21a8aa12aa944658f05694243e4d7b9ba07ea24447b539d40977e9b7fa19fed1", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0eb7996f-0af7-509c-b6d1-458eb0fb977a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493257Z", "creation_date": "2026-03-23T11:45:31.493259Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493265Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "31124ab8f3da114ab87b46dbb42758254a69c41d24a4a99416eb73295b0022a1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ebbc04a-ded6-5fa7-8480-5d93c4a24fc7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612422Z", "creation_date": "2026-03-23T11:45:29.612424Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612429Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c64d4ac416363c7a1aa828929544d1c1d78cf032b39769943b851cfc4c0faafc", "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ebc7407-0cb7-5793-abd0-aecc61c5bf3e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967938Z", "creation_date": "2026-03-23T11:45:29.967940Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967955Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d31118a2e92377ecb632bd722132c04af4e65e24ff87743796c75eb07cfcd71", "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ebf02c3-27cb-59a9-8cdf-d10a2f02c6fb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466441Z", "creation_date": "2026-03-23T11:45:30.466444Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466452Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19dfacea1b9f19c0379f89b2424ceb028f2ce59b0db991ba83ae460027584987", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ecc43c5-540c-5e83-b96a-460b260c2dd9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611342Z", "creation_date": "2026-03-23T11:45:29.611344Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611349Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c2159219e9986ab9e07e00a87fb83835230a2b99174e7f9b94096046c2dace55", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ecc7a9a-6c61-599b-b62d-111887236147", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489751Z", "creation_date": "2026-03-23T11:45:31.489754Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489762Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2f84bb12accc91d67a916636f3a903ab4d1b5c917b2302c112717d55dd33cc14", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ed18a86-20c4-5dbc-bf69-3f2a68288627", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614963Z", "creation_date": "2026-03-23T11:45:29.614965Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614970Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e005e8d183e853a27ad3bb56f25489f369c11b0d47e3d4095aad9291b3343bf1", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ed604ba-056f-536d-8813-f1ae7ba2bd39", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141166Z", "creation_date": "2026-03-23T11:45:31.141168Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141173Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b942cb3421f66bdc6895200054232f2b22af6995d34a513df6259c30bf1d0d9d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0edd54dd-d2ca-58f2-800c-3f950859b34e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614232Z", "creation_date": "2026-03-23T11:45:29.614234Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614239Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0d0962db9dc6879067270134801ad425c1f3e85b0dc39877c02aaa9c54aca14e", "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0eeff0d9-0809-5a44-9310-f04f765bd841", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475763Z", "creation_date": "2026-03-23T11:45:31.475767Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475777Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1b2bf79d88646a1a1afbb4677ca1622e3db71f1f06869fa8751ba19c5ce61134", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ef8eb06-9289-5272-b9bb-5c989acd5ba7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142054Z", "creation_date": "2026-03-23T11:45:31.142056Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142062Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "639cfdb6dfe53be18dfc5974089a361c23b0ecfe0ff346bf451098b5c44b2dde", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0f038925-9423-53d8-a9de-d7fbf47fc3fe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604790Z", "creation_date": "2026-03-23T11:45:29.604792Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604797Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a3d65e0f04514f60acaa70f934e3e888211301566415822e6326fa930a551ba1", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0f0f7f17-bc8d-5ea0-a0ae-ac6f2604d7ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617483Z", "creation_date": "2026-03-23T11:45:29.617485Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617491Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5c04c274a708c9a7d993e33be3ea9e6119dc29527a767410dbaf93996f87369a", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0f1813f7-faf0-5901-9d9e-e7eaf2038f19", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495510Z", "creation_date": "2026-03-23T11:45:31.495512Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495518Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3df8f062d6b16b4615c8d170437a8d0ce8fc2de10b812b35b2c21b6b2f9c6d96", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0f1970d6-86f1-5867-a80b-d84588939106", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146294Z", "creation_date": "2026-03-23T11:45:31.146296Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146302Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d65b29640c75a2364e22f07cd647c1bd1c441a677d79f3b8a75260b3d2dbecb3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0f1aabc3-b617-52dd-99e5-aec4be6abc44", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827497Z", "creation_date": "2026-03-23T11:45:31.827499Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827505Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "af80b334ef86d05d652a4eaa6edbf8544283e78752c5c84ec84d13edca228129", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0f1e891c-bbf5-5af5-a51b-f2a93b526d20", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479601Z", "creation_date": "2026-03-23T11:45:30.479603Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479609Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "548c44566d19ba0975c9a22e7b592fda45bfa8831e56f55c1c3e7241d84dd175", "comment": "Vulnerable Kernel Driver (aka HWiNFO64I.SYS) [https://www.loldrivers.io/drivers/080a834f-3e19-4cae-b940-a4ecf901db28/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0f210936-fe6d-5ff6-8357-9ac8ecbcaf53", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490945Z", "creation_date": "2026-03-23T11:45:31.490957Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490966Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "93e6ee9a67a9720669944e22d76019b3b5cd63a4ca99dafc25a446c6136ed322", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0f21fe95-0426-517d-893e-112dd119ae07", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820969Z", "creation_date": "2026-03-23T11:45:31.820972Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820981Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ed8815b30cf785d1748b62d154bcc09075648bea72495e68be0b9b8b342fd0af", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0f282c62-f551-556b-8839-18aeb7b3b1d5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461324Z", "creation_date": "2026-03-23T11:45:30.461328Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461336Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f4ee803eefdb4eaeedb3024c3516f1f9a202c77f4870d6b74356bbde32b3b560", "comment": "Vulnerable Kernel Driver (aka sfdrvx64.sys) [https://www.loldrivers.io/drivers/5a03dc5a-115d-4d6f-b5b5-685f4c014a69/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0f3121cf-9ac1-579d-a37e-21ab691b5c07", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.142707Z", "creation_date": "2026-03-23T11:45:32.142709Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.142715Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cf9859b7126c8f1546911651d0f4a506c8802451807b695854429f8b79688a37", "comment": "Vulnerable IKARUS anti.virus Driver (aka ntguard.sys and ntguard_x64.sys) [https://www.greyhathacker.net/?p=995, https://www.exploit-db.com/exploits/43139] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0f3ca033-702f-5d05-9889-39b20b8dcb24", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621461Z", "creation_date": "2026-03-23T11:45:29.621463Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621468Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c344e92a6d06155a217a9af7b4b35e6653665eec6569292e7b2e70f3a3027646", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0f409154-88a5-5c90-92fe-87d19d219bca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466908Z", "creation_date": "2026-03-23T11:45:30.466911Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466920Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9a84ad211fc549d0f118b3211cb11fd3ab2ced86de9cd20173d03e1a47834133", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0f422f0d-8729-5ae4-80d9-814c54e5d56e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810716Z", "creation_date": "2026-03-23T11:45:31.810718Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810723Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fda127b1df8d657e35b73f61384dfeeac17bf4d20e9e733488420a14b3a2578c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0f4953e8-71a4-5c34-a393-a46444428e8c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606611Z", "creation_date": "2026-03-23T11:45:29.606613Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606618Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6dd992ad181d9a8ba8bc02542a5379375857460d8f2818ff6fc32f726aa431af", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0f509653-bf7d-5150-8788-578fe22d3c5f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.815689Z", "creation_date": "2026-03-23T11:45:30.815691Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.815697Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "66a9052d6b1d35147f581249f6b524d8cab0b7c6ff80f621a4481f43db462540", "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0f51834f-e8b6-5c64-b042-54a978fb8581", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810894Z", "creation_date": "2026-03-23T11:45:31.810896Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810901Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c872de9c4d9b5d7f18a8789939951d691882da450b11793f59c9f4ef21fb621e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0f5bb38f-d477-5f16-a333-fcdbac5f80cd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621774Z", "creation_date": "2026-03-23T11:45:29.621776Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621782Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5aa7a47c7abaf13453b8ab309ef16bdd80ceaf7407e67fa27932d4591f025d67", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0f65c1a6-841e-557a-98d2-3ad57a62dfe0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971488Z", "creation_date": "2026-03-23T11:45:29.971490Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971495Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9a95a70f68144980f2d684e96c79bdc93ebca1587f46afae6962478631e85d0c", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0f6a52e0-c0be-527f-b9a2-764df05b0e48", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969785Z", "creation_date": "2026-03-23T11:45:29.969787Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969792Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "59e004cd839611cbc5f7c061827587dbb120d7aab8d0e44191c0c01aeed9e168", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0f85c1a6-8c8f-544a-b4d7-5db7e09943c7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468318Z", "creation_date": "2026-03-23T11:45:30.468322Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468330Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "67d4654d7e78e4d0761d8e200096935791d59acb2bf98106dafff449647c840f", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0fb68b29-3473-53ee-9689-96daac6b1333", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481809Z", "creation_date": "2026-03-23T11:45:31.481812Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481823Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a56b64d3822154749911a8189edc435f70ebedddd1da76878e7a1ce3b0a2bd15", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0fb82f82-7cae-50ae-ab33-f0be416f9165", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489578Z", "creation_date": "2026-03-23T11:45:31.489581Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489588Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5f47e8b63cbe05a0a83806501d7eecb6339c5a718f80f8f1866fa164595ca185", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0fb943dc-aacd-527c-ba74-255d63204b22", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610600Z", "creation_date": "2026-03-23T11:45:29.610602Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610608Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8d57e416ea4bb855b78a2ff3c80de1dfbb5dc5ee9bfbdddb23e46bd8619287e2", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0fbe90a8-9c10-5814-8b58-32945e5e707c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615417Z", "creation_date": "2026-03-23T11:45:29.615419Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615425Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4e92baa37cd8b665ca0851f8442766aaf3b96fa61ea137d5972d5eb059389a05", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0fc1ee8a-333d-5770-b7de-619bddb8fb7d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827928Z", "creation_date": "2026-03-23T11:45:30.827930Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827935Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "df5548418a899fe0b375f35e196637cb873acb374a300c865f183af388ca40c2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0fc556da-9f78-5d44-993e-67fe027d4fbe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618237Z", "creation_date": "2026-03-23T11:45:29.618239Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618244Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9368e51ec98e2ad20893a5fc21e6a8b20c5bee158d5c49ca58649cff84db9d68", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0fc90c00-c363-5593-ace6-7eeee1ee032e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972738Z", "creation_date": "2026-03-23T11:45:29.972740Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972745Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f78e06f649bc0d88770c5465d7792abeb27631ec0ce9a0fa68698b94ebf2cf49", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0fcb3917-67ca-54b5-af45-e3e3c5d6457e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476436Z", "creation_date": "2026-03-23T11:45:31.476440Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476449Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "987249b8aad583f4de69b2371182db2d379381d175ea50b1ea0500de0394d57c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0fd2871d-6f8b-5ac3-a632-c2c583adfd98", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973148Z", "creation_date": "2026-03-23T11:45:29.973150Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973155Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "86236392bb2cc77100bd83d34a30e3fb60aa727d0b11c147a838d9a205bae80e", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0fd85c56-ccfe-5ebd-bbdd-e4c1623b4f29", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466043Z", "creation_date": "2026-03-23T11:45:30.466046Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466054Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f7bfa10075bf5c193345866333d415509433dbfe5a7d45664b88d72216ff7c3", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0fdc589e-7f5c-5c77-8ad3-7b555320b40a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821826Z", "creation_date": "2026-03-23T11:45:31.821829Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821837Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3b7c14dd71837e42450aafee5c7bb67d4badd203616f1b2e73591a154ac16ce6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0fe70913-7db9-5caf-aa16-093c73b405cb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977125Z", "creation_date": "2026-03-23T11:45:29.977127Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977134Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cf69704755ec2643dfd245ae1d4e15d77f306aeb1a576ffa159453de1a7345cb", "comment": "ASUS vulnerable VGA Kernel Mode Driver (aka EIO.sys) [https://www.loldrivers.io/drivers/f654ad84-c61d-477c-a0b2-d153b927dfcc/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0feaa0c1-2405-590d-856e-b953fff47696", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156723Z", "creation_date": "2026-03-23T11:45:31.156725Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156731Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e6ddce3ee843569abcdb06523dc5031394bcb971a645922eaeb85a462b72188c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ff1da40-e272-5b75-a9f0-c560dfe8123a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609920Z", "creation_date": "2026-03-23T11:45:29.609922Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609927Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1622ac0c618a86be17e0f97daa061f9aaa0e721dc0fd30d76bbc5c958e9a9d92", "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0ff21dd9-50d9-56fc-a27e-7854969d326c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493681Z", "creation_date": "2026-03-23T11:45:31.493684Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493692Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fa50f18e1db46b6ddabd195f67745eb38dd0f68bea634ab8a64350d81e3d4734", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "0fffa5ff-208c-500e-b7b5-40d00c7cbcdc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813825Z", "creation_date": "2026-03-23T11:45:31.813827Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813833Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c25dceb5b12dcb45cd96abcaac829fabd3078ba24b732efb31194af3b79dad8d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "100325ea-73a3-5f97-be11-5609d3d465ac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145737Z", "creation_date": "2026-03-23T11:45:32.145739Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145745Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "668c5bead3c7fcd919afd742ede7e5fe07972dc4cf730ff37deabdd22d88de4a", "comment": "Malicious Kernel Driver (aka driver_668c5bea.sys) [https://www.loldrivers.io/drivers/04eefdf4-448d-45bb-87fc-93f263fc77f4/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "10045882-2ed4-55fb-962a-6aee1926e65f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815097Z", "creation_date": "2026-03-23T11:45:31.815100Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815109Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bba8e6906541aed6406438a7a27f4e3d8e603a325449b0cc17df53d1d0db8329", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "100abf05-0ca9-53bc-9994-30a704e0020a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463299Z", "creation_date": "2026-03-23T11:45:30.463302Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463311Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0a27ac1a8173413de13860d2b2e34cb6bc4d1149f94b62d319042e11d8b004c", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "10108155-f204-5434-ad7c-a0e750f86310", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829483Z", "creation_date": "2026-03-23T11:45:30.829485Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829491Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d29c7bd3f007bde4776866ccf377eb222673009ac0280948fd704a525f6515ec", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1017936e-446a-5fd9-b643-5290e67ca045", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454269Z", "creation_date": "2026-03-23T11:45:30.454273Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454282Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7462b7ae48ae9469474222d4df2f0c4f72cdef7f3a69a524d4fccc5ed0fd343f", "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1022da3e-ab26-53be-ade5-83f022a87076", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827822Z", "creation_date": "2026-03-23T11:45:31.827824Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827830Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ada441e68a3291303ed191fc670a8e2521b8e83a7008ee789335a8a0d62af825", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "102df2d2-d0c4-5934-89e3-fe76d74cec09", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621368Z", "creation_date": "2026-03-23T11:45:29.621374Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621379Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "191689c53195dbe828f406b206cb167dcd4671ecdab32b80e01c885f706a6baf", "comment": "ASUSTeK vulnerable physmem driver (aka AsIO64.sys) [https://www.loldrivers.io/drivers/79692987-1dd0-41a0-a560-9a0441922e5a/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "103c8f1f-9c70-5eaf-83ae-0a4dd214d667", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830013Z", "creation_date": "2026-03-23T11:45:31.830015Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830021Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7e256508f576243d58cf038eb0db38cb9573b4d5adedb35a07e0925ea4032623", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "103e5409-ed39-5f42-9b81-0a0f09b73c8a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481169Z", "creation_date": "2026-03-23T11:45:30.481171Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481176Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eb91e05733244a23f741a299e5e4a57836685a8f45366e690bc30b4befc02b14", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "104e8a15-8afb-5a2d-a85e-cf64aa59bcac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820698Z", "creation_date": "2026-03-23T11:45:31.820701Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820710Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1402f071112c6f5c5fd4dd1aa31f03ad56b5e771c4de1fb54be75096cd3c2b40", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1066e54f-9e28-5c3d-bb31-61f4d2e169c4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140970Z", "creation_date": "2026-03-23T11:45:31.140972Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140978Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f8494ecde84bbed336833d05e100e17873f3eab95f4dc676274cf072e6d758f3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "10731df9-0b81-51f4-99f7-34199a58c987", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982140Z", "creation_date": "2026-03-23T11:45:29.982142Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982147Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d969845ef6acc8e5d3421a7ce7e244f419989710871313b04148f9b322751e5d", "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/b03798af-d25a-400b-9236-4643a802846f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "10758e24-d69a-5e75-86ab-812ae70129e7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972284Z", "creation_date": "2026-03-23T11:45:29.972286Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972291Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0ae3c446e5f075e8fc3db31eabd744a65b2c50a9b4a52877873547951bc19bc9", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "107dea3e-fe98-5414-bb9b-b95be19fb94d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498469Z", "creation_date": "2026-03-23T11:45:31.498472Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498480Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8a1c37bda3fc4ad8a5ccd3c5e0af179314a43b7294180ecc0fbedefa96701c59", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1084ffbf-3e2b-52b6-9946-0aa18d1f6f1c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157049Z", "creation_date": "2026-03-23T11:45:31.157051Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157057Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f2cdadbbf1072dcba6ef07bf3ef3a9e24a77b9401970a5cc4fa5bbe77c315f5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1087ce96-0757-5619-a841-810173fed890", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621755Z", "creation_date": "2026-03-23T11:45:29.621757Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621764Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9c7ad854f6670452d7da064d4b429eb90c42155b6f7eaa52ee471d9ee8b61e6f", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "108a7c91-008b-5f1b-9462-a7c65103d067", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808649Z", "creation_date": "2026-03-23T11:45:31.808651Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808657Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c78e4e21776fb14f43641e98a50624497de8039dc22b9514755e3e681a34d4ff", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "10955731-1fa3-507e-8f4a-1ffe5d6743c0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497836Z", "creation_date": "2026-03-23T11:45:31.497839Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497845Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a595e1034665a108a7a7cba263709401d82477aa68187fd6ef3927b4acc2cd07", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "10a94906-b49b-542c-b1fa-5dd4e042da16", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.142850Z", "creation_date": "2026-03-23T11:45:32.142852Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.142857Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f8c07b6e2066a5a22a92d9f521ecdeb8c68698c400e4b83e0501b9f340957c22", "comment": "Vulnerable Filseclab Driver (aka fildds.sys, filnk.sys and filwfp.sys) [https://twitter.com/SophosXOps/status/1764933865574207677] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "10b1048a-092a-5594-9a4c-6cfcec02a266", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476107Z", "creation_date": "2026-03-23T11:45:30.476116Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476125Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "66a20fc2658c70facd420f5437a73fa07a5175998e569255cfb16c2f14c5e796", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "10b3fc3b-bae4-5fec-912e-cdc37b554272", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157456Z", "creation_date": "2026-03-23T11:45:31.157458Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157464Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c18f564bcbee4723514580fd7741e1883ffbf2e37e9f5b2da5a79033305aaa13", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "10b86956-0b58-55aa-862f-a070e96542d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809289Z", "creation_date": "2026-03-23T11:45:31.809292Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809301Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e72867adaa4a79dd8d332b3d2e0bf705b76af7c5e8505167c23aa41bac7ce1bb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "10db64ef-0c56-54f1-ad29-0ed1f3cfde0d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146058Z", "creation_date": "2026-03-23T11:45:31.146060Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146066Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f91769cd61784914bde779fe4cd7520d7e76523bafb9d06cc78d0346bbfaec14", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "10ddbeb4-ab0c-5847-bb45-ecda226931f3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480817Z", "creation_date": "2026-03-23T11:45:31.480821Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480828Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ded1bffeb296f566935ea030bf2d02f7d530f01c7a0774383385a5dc3ebf2698", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "10e3b176-0cb0-5000-a3de-38d2bfd04722", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477420Z", "creation_date": "2026-03-23T11:45:31.477424Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477433Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c1a547472666006fc7a0439a37ccd7b5fce11818460ebcc42b57649e523433c1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "10f1af51-06f9-5b96-9ab0-b6578fb9d5ea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618322Z", "creation_date": "2026-03-23T11:45:29.618324Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618329Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e2d6cdc3d8960a50d9f292bb337b3235956a61e4e8b16cf158cb979b777f42aa", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "10f449c9-caa2-5655-83b9-f7627e07ff04", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972664Z", "creation_date": "2026-03-23T11:45:29.972666Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972671Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "54e969dc477af9a3e5b53dc4edaebc41a7b73c87ecca13dc1fbb8dfc86c0fd78", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "10f5c81d-f3e1-56d3-a12d-8948caf2974b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812945Z", "creation_date": "2026-03-23T11:45:31.812955Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812963Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bd68e81f338b91c2381dcd1e37f4c4e5649acad687608d9dbc1fa8fe24c346b8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "110574b3-e699-5994-b4ac-07b492b2a088", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983193Z", "creation_date": "2026-03-23T11:45:29.983195Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983201Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "708016fbe22c813a251098f8f992b177b476bd1bbc48c2ed4a122ff74910a965", "comment": "Vulnerable Kernel Driver (aka b3.sys) [https://www.loldrivers.io/drivers/adfb015a-f453-4b9e-a247-50f146209eb0/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "110d6a55-ff1e-5067-bd87-3d6e9647f0b4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813777Z", "creation_date": "2026-03-23T11:45:31.813781Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813790Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ef5103072db29437d68eb24998bdc7b15533d2fe8108929acb1dff805c91a7a0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "11143612-92a8-507a-a673-9e78fb38ea0a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160322Z", "creation_date": "2026-03-23T11:45:31.160324Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160332Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "97cadcc0170ca3d521d2018628050caab2f27ef2f181180c74c2ab25277941ee", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "11145577-5d08-5c7d-a685-2862d84bc823", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619194Z", "creation_date": "2026-03-23T11:45:29.619196Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619202Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1963d5a0e512b72353953aadbe694f73a9a576f0241a988378fa40bf574eda52", "comment": "Super Micro Computer physmem tool (aka phymem64.sys)", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "111af200-3ecc-5a57-9ad3-f4177ce37d4d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833838Z", "creation_date": "2026-03-23T11:45:30.833841Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833850Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6236bddd0fa696e9364fac7f0fa5ae38e9c76adf6d6fc504f8f8aae6d7ae03f2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "111fd345-cb8a-5920-b1fa-fa050c873e28", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159330Z", "creation_date": "2026-03-23T11:45:31.159332Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159337Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e4594fa9bf1a89b5542345f20ac7dac79fd1afa4cc6ff494fe9249973ec9d0c8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "113a3840-45cf-539c-93a5-a5b4544cb9c8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498010Z", "creation_date": "2026-03-23T11:45:31.498013Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498021Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "84425276857168c194eba0c8cd74ff58ddf229bea91fb0392ae66a452c0e79e7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "113caa7c-92cc-52a4-938c-11c59c12a02d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826764Z", "creation_date": "2026-03-23T11:45:30.826767Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826772Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "98d8b701a2a49ad621ea9ef4f4776ffab02570a4df4f9cc9f3ce14a307fe7939", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "116068d4-af1f-53c9-abe9-0c680455dca4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156638Z", "creation_date": "2026-03-23T11:45:31.156639Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156645Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "76219892d1b31c3be29dc56b66a296de68da0019e636aaae64fce74401d0a924", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "11756f25-3436-56b1-81b3-e763ab782bc6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812472Z", "creation_date": "2026-03-23T11:45:31.812474Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812480Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e5cbf39a275265519ae5f8260f031f9e5a3a2f1eae333742ed49f0cc61a5e60a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "11793f33-ef97-518d-a6df-c8ccfc0c5f06", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824042Z", "creation_date": "2026-03-23T11:45:30.824045Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824050Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "361afe55e0a6f5f911fe1b3445c56a5287b26ec735073d2e28e17b8bf8d4b4b9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "11a14e3d-25ad-5e0c-b911-e369c24b4835", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832694Z", "creation_date": "2026-03-23T11:45:30.832696Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832702Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7be7b71c3bdbc7e4868e4b2ae6ae20adad8bef30a77b3387810243459dcaa548", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "11a9a0e6-50af-540c-a316-94916c1b45cc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487396Z", "creation_date": "2026-03-23T11:45:31.487398Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487403Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c910fea59299110d2c171f5ea22966bd06108fdfda45f2e01f7f758ddefc7ce", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "11bd6a87-11c3-5c86-a2f6-d60e06b828f4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820495Z", "creation_date": "2026-03-23T11:45:30.820497Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820502Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "353a36d445e4ff60396702ad7b22b5f30bdce52aa05126e2701714a3f11a11c7", "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "11beae37-c0f2-517f-bc62-3e0ed64447b6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818260Z", "creation_date": "2026-03-23T11:45:30.818262Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818268Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "38535a0e9fc0684308eb5d6aa6284669bc9743f11cb605b79883b8c13ef906ad", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "11c0f44a-12de-5f90-bba6-7c0c8d4f3ebd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143254Z", "creation_date": "2026-03-23T11:45:31.143256Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143262Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "db2234daab27f977b59c1d9e1540ca0dab986334bffd435233b1f9213b8f6b45", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "11d9d740-1d79-51ef-b926-aa915e1794a2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458607Z", "creation_date": "2026-03-23T11:45:30.458611Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458620Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f62282e44713d7d2f4c780027c7bbb82ba0b491c8836dfae33a2d82e8b5a43d2", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "11ec0f90-8611-59a7-9d30-0e5646d2cdf1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147963Z", "creation_date": "2026-03-23T11:45:31.147966Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147972Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea1fc5332092cbe167622a54ff2f118a7235a7baa948c77e39a2ffafb285b1a1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "11ee222a-f75e-58c9-9b8e-1f01a57a67f6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613581Z", "creation_date": "2026-03-23T11:45:29.613582Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613588Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9d9346e6f46f831e263385a9bd32428e01919cca26a035bbb8e9cb00bf410bc3", "comment": "Vulnerable Kernel Driver (aka AsrSetupDrv103.sys) [https://www.loldrivers.io/drivers/19003e00-d42d-4cbe-91f3-756451bdd7da/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1202839a-e63e-59e8-a369-0ec81d96cb57", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486524Z", "creation_date": "2026-03-23T11:45:31.486528Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486537Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9799688dc73f444eae7b4b7e681ae31d6e4cfcf9c48f59ac5b6132b22e65f58f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "121621fa-2e99-5adf-a1cb-d7b99a284449", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825973Z", "creation_date": "2026-03-23T11:45:30.825976Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825984Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d52c8e1568a6bbf29705a5be45a76a4b87dc54d557d5fd17a025c951d643b882", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "121963dd-984f-5ba1-83b8-a9e296ab6676", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816080Z", "creation_date": "2026-03-23T11:45:30.816083Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816088Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "df4c02beb039d15ff0c691bbc3595c9edfc1d24e783c8538a859bc5ea537188d", "comment": "Vulnerable Kernel Driver (aka sysconp.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "121e33f0-7dc2-5f8a-9a84-e7de2621cf4c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619592Z", "creation_date": "2026-03-23T11:45:29.619594Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619599Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ed10b06e6b4b0548bdada6b5665432306e934df173707edd3af9e4a4547e43e", "comment": "Insyde Software dangerous update tool (aka segwindrvx64.sys) [https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Program%3AWin32%2FVulnInsydeDriver.A&threatid=258247] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1224c893-5ce2-5553-8b9a-9660352e6af1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156414Z", "creation_date": "2026-03-23T11:45:31.156416Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156422Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4373d838097eefc9de85cff89356cf450641a3b3f057cee49e7ef1333a54ceed", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "122509f3-168d-5341-9365-776d9a0a5d0a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821728Z", "creation_date": "2026-03-23T11:45:30.821732Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821740Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "40eef1f52c7b81750cee2b74b5d2f4155d4e58bdde5e18ea612ab09ed0864554", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "12306b70-0bee-5294-813d-190b7814b118", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821300Z", "creation_date": "2026-03-23T11:45:30.821304Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821312Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e502c2736825ea0380dd42effaa48105a201d4146e79de00713b8d3aaa98cd65", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "123f5739-b970-53e7-ac63-a51df4991e40", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467002Z", "creation_date": "2026-03-23T11:45:30.467006Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467015Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "71c0c98aa54dc88af8b094ceef88352052d592e0f40892825dedbf1abba16635", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1241a202-b03c-5c34-8347-dbdabdcbeccf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452622Z", "creation_date": "2026-03-23T11:45:30.452625Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452633Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "23787eb342fd38da73ce785023176f98304267c6f6fa8a50e718da096c7a7951", "comment": "Vulnerable Kernel Driver (aka phydmaccx86.sys) [https://www.loldrivers.io/drivers/1055625b-3480-48b3-9556-8628a745d8f0/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1241b2fe-a129-5bbc-aace-d89b135da0a5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466352Z", "creation_date": "2026-03-23T11:45:30.466355Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466363Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "efa56907b9d0ec4430a5d581f490b6b9052b1e979da4dab6a110ab92e17d4576", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1250906a-82b8-59ee-b5db-212b4b7708a5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819864Z", "creation_date": "2026-03-23T11:45:30.819866Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819884Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6c049aff27517fe269517b07bdc8ef1e7b26e1e76276b02dc5a9688901a88de3", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "12541cac-c629-5316-ba0e-7cd9558387db", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826151Z", "creation_date": "2026-03-23T11:45:30.826153Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826159Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c3eac96b30874254834799669ba353408f3ad1e088d4294c9aabd76e8365019", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "126605a2-954b-53a9-9480-a75e716dd102", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490384Z", "creation_date": "2026-03-23T11:45:31.490386Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490391Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0abc0c88644a441a816aa86b0d10a0ed9c234b67e3deb276db29a752575b61a2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "126e6280-2b2e-5132-b0a8-a5013c769903", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464973Z", "creation_date": "2026-03-23T11:45:30.464977Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464985Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a32dc2218fb1f538fba33701dfd9ca34267fda3181e82eb58b971ae8b78f0852", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1272251d-faf7-52b1-994d-8fee62ad4c06", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480322Z", "creation_date": "2026-03-23T11:45:30.480325Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480335Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d9cbdfc10ba743d5229f7dbb6507b9864012fb58cb253da92962dc611603a73c", "comment": "Vulnerable Kernel Driver (aka GEDevDrvSYS.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "127bdf0c-4bbe-5652-b13d-43c32ca67872", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486421Z", "creation_date": "2026-03-23T11:45:31.486424Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486432Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "67dcba22bf61411cf08b8969af50b289e6b39bc72be07a1d4f2a43b3d0f81f8e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "12868a34-5406-56de-956a-75e25d3dec39", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820195Z", "creation_date": "2026-03-23T11:45:30.820197Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820203Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "978a1e937dd4c03eb2f2a55a0ed8b14294c5c175584ebf85bd20b889bdc9378c", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "128a4e46-aa09-5aac-b0bd-4205c46a425f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461041Z", "creation_date": "2026-03-23T11:45:30.461045Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461054Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "11208bbba148736309a8d2a4ab9ab6b8f22f2297547b100d8bdfd7d413fe98b2", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "12a41168-0462-51a8-9a45-9b83bbc6b4c7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475027Z", "creation_date": "2026-03-23T11:45:31.475032Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475042Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bccfd41865d666e484b466d20329f31d9689dfe383de42cf3b8ed0465d24aa04", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "12ab50f9-6593-5e39-ab91-c40e5e43ed93", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984476Z", "creation_date": "2026-03-23T11:45:29.984478Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984483Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9f70169f9541c8f5b13d3ec1f3514cc4f2607d572ffb4c7e5a98be0856852dd8", "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "12b4ea0e-3b93-585e-a69f-87dc66b5c24c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830563Z", "creation_date": "2026-03-23T11:45:30.830565Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830571Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "342a4f20a79388bf0773e9ff1ce5146dd12d2daa8199ad9b9b7b8f509f4aae19", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "12ba60f2-bcb1-5f7f-81c1-80c615b11322", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486610Z", "creation_date": "2026-03-23T11:45:31.486613Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486622Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee2acea763a02c1ca721a87f3740ae2ba7c442841554f27dd215f66d61545c3f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "12c48090-aa7d-5781-b155-485c1e672cec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144682Z", "creation_date": "2026-03-23T11:45:31.144685Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144690Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "74acdbb7bd8674e46a3e72fc6bd5e069e7268707860a2593a969f0fce78bb056", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "12e32e43-ca65-5ea8-a8f2-f57f007371ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819372Z", "creation_date": "2026-03-23T11:45:31.819374Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819379Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7820102b73f0b6adbed965be95c2880788c0bc84bfa743c50dcf48164616ae42", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "12eadc57-9c8f-5f83-a8f1-7b831ff796bb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492073Z", "creation_date": "2026-03-23T11:45:31.492075Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492080Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7553c03169bb960696f1eb35db43c41a3a821c5eb05911642c95457f8c7e871f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "12f5ee20-d86d-5d1b-8324-332be0951370", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820772Z", "creation_date": "2026-03-23T11:45:30.820774Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820780Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a97b404aae301048e0600693457c3320d33f395e9312938831bc5a0e808f2e67", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "13069652-2d29-58c3-a9fe-3cef038e622d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149424Z", "creation_date": "2026-03-23T11:45:31.149427Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149436Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c9bde89e72111cb03fc68dd0a25cb76288bbb951fc2995b8cecc8b8abf6dec5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "130f1259-890b-575c-af2c-86de58df83e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980012Z", "creation_date": "2026-03-23T11:45:29.980014Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980019Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2dec76da0b361e4ed49a4015e67cefb0e6b812103d8ebf93b74016d99d9fcfad", "comment": "Vulnerable Kernel Driver (aka Monitor_win10_x64.sys) [https://www.loldrivers.io/drivers/ca415ed5-b611-4840-bfb2-6e1eacac33d1/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1319bb43-9c2e-5ace-b293-cd20038a552e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459186Z", "creation_date": "2026-03-23T11:45:30.459189Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459198Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "12656fc113b178fa3e6bfffc6473897766c44120082483eb8059ebff29b5d2df", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "131ee303-f4c6-59e6-ad33-9d39ed4158ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821556Z", "creation_date": "2026-03-23T11:45:30.821559Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821567Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "26ecd3cea139218120a9f168c8c0c3b856e0dd8fb2205c2a4bcb398f5f35d8dd", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "13311cd5-daed-5c3b-8f3f-5b18cdf66655", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830113Z", "creation_date": "2026-03-23T11:45:30.830115Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830121Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "989b20aaaedb1724948b96d3873d86fae7889c3f3342a4bc87fe5dbd2a66ca4b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "133bb6d1-3a8b-59cf-9eaa-fac7e746bf47", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154449Z", "creation_date": "2026-03-23T11:45:31.154451Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154456Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e2ab7d04d40166f22ba4557f119c92caeb43b6d6bdeba179f040cc85b7dcaeae", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "13514800-d2bf-5aac-bcd4-e970bce409ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462342Z", "creation_date": "2026-03-23T11:45:30.462346Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462354Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8210a89ba143d927384d7b2e6b3714d6ae9a9a384796ec6e306df38ca91e9c4e", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "136455b6-2ecf-57aa-855a-f81b9ab24af2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979064Z", "creation_date": "2026-03-23T11:45:29.979066Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979072Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e75714f8e0ff45605f6fc7689a1a89c7dcd34aab66c6131c63fefaca584539cf", "comment": "Vulnerable Kernel Driver (aka LHA.sys) [https://www.loldrivers.io/drivers/eb07ef7e-0402-48eb-8e06-8fb76eda5b84/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "13691976-af84-53f9-95e9-bb2b56d9702d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819226Z", "creation_date": "2026-03-23T11:45:31.819229Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819234Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "037feddbfda7bd71bd251f82cacac9ddbc7e11bc6d0c27a32d439b86c27907e8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "136a498b-416e-549e-ab18-a8d88dd0fdee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825614Z", "creation_date": "2026-03-23T11:45:30.825617Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825622Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "42a8d5d800c2f86648c2b852205354599ee5b3702fb58b5b86b6caa513690330", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "136d9937-07de-52eb-970a-4b8d627ef6d8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458550Z", "creation_date": "2026-03-23T11:45:30.458553Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458562Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8ac341d36e1af8959de6410a976400ded8554f5ffb6a462a8080c38a0140f4d4", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1377f9e9-7926-50a3-8c26-b4a145a98ab8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818577Z", "creation_date": "2026-03-23T11:45:30.818579Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818585Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c6db7f2750e7438196ec906cc9eba540ef49ceca6dbd981038cef1dc50662a73", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "137fc969-2b90-5ac8-9203-7686497ae954", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488586Z", "creation_date": "2026-03-23T11:45:31.488588Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488594Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5623f7e0ee46d7b957b837cca853cba4ccbd91c9ef614a063aa731f87f36c370", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1381530d-1548-583e-9b8f-6688a7a70576", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155327Z", "creation_date": "2026-03-23T11:45:31.155329Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155335Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eb7d84d567204a528cafc729897d3a6a2ebcceb6cca287c585335069deee24c5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "13917c01-d5fc-5581-9056-fece2e3731e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148078Z", "creation_date": "2026-03-23T11:45:31.148080Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148086Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ce44334bec3fe07364bae329eaccf6d39124b7d5ef1485f596b1b1c94f4f182d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1396e8d3-1fa5-5fcc-9c12-d3f24d2d5216", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611464Z", "creation_date": "2026-03-23T11:45:29.611466Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611471Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "02fcbc5372c9bf31903376bde11d558ab7c7f13bde005120e24bdb1aef5d0134", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "13a5ba2c-788b-58b1-bfea-7fbf4ecad650", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983902Z", "creation_date": "2026-03-23T11:45:29.983904Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983910Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd4a1253d47de14ef83f1bc8b40816a86ccf90d1e624c5adf9203ae9d51d4097", "comment": "Vulnerable Kernel Driver (aka iomem64.sys) [https://www.loldrivers.io/drivers/04d377f9-36e0-42a4-8d47-62232163dc68/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "13ad4e8d-4f6e-5cdf-aec9-5d5c764563b2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827630Z", "creation_date": "2026-03-23T11:45:30.827632Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827637Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5c357ccc50a8511019d0beb93a910bdc3ea7ca5048e41f4f6cfca83cdd53aad9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "13ae6c2e-50e5-5735-b522-9f33e0a477bd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970547Z", "creation_date": "2026-03-23T11:45:29.970549Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970554Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a0931e16cf7b18d15579e36e0a69edad1717b07527b5407f2c105a2f554224b2", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "13befc9e-fa56-5455-9497-1484c9a473bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827255Z", "creation_date": "2026-03-23T11:45:30.827257Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827262Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5472de65d2797e341862f32e40c7e6bc71f0c481a3b7dfc3198b490d7d7427fb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "13c075fb-5eac-503e-bf72-3780ce4ad39c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621089Z", "creation_date": "2026-03-23T11:45:29.621091Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621096Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7f375639a0df7fe51e5518cf87c3f513c55bc117db47d28da8c615642eb18bfa", "comment": "CoreTemp Physmem dangerous drivers (aka ALSYSIO64.sys) [https://www.loldrivers.io/drivers/4d365dd0-34c3-492e-a2bd-c16266796ae5/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "13c236a2-a836-530b-82fa-28adad19b6b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154058Z", "creation_date": "2026-03-23T11:45:31.154060Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154066Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "39088113e8638c131fe41496671223fcc3c8e08e1a1adc2e48b38b61d3712c19", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "13c6a3cb-2d76-5376-bc4e-9bf8600c5eb4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474961Z", "creation_date": "2026-03-23T11:45:31.474965Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474976Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e07521d559535a1ff648828c885d426cca5fa2b92d6ca2637d985a8fc8b5454d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "13cd0717-534a-50ac-9363-23f9d830eca5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826973Z", "creation_date": "2026-03-23T11:45:31.826975Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826981Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ad9147b40c939210c0c4ee4f0127a7cb5ef3d6b768835f5be24cc178c8505a40", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "13cef623-5e33-5bfc-bfa0-2d7467f59ff6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970037Z", "creation_date": "2026-03-23T11:45:29.970039Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970044Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a465cfa7a0bd76dfe8f261661d348e25d1a6a3975673336f90878618f2e6c21b", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "13d71092-fe88-52d5-a1b0-2d5476d6506a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614683Z", "creation_date": "2026-03-23T11:45:29.614685Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614690Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "89b0017bc30cc026e32b758c66a1af88bd54c6a78e11ec2908ff854e00ac46be", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "13d759f3-a0d4-529f-b2c3-36fc61e6ddd1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456423Z", "creation_date": "2026-03-23T11:45:30.456426Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456435Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e41d4fd99252fcf9aea529b6e148b311aa26a4ab04f6b79cce4cd19c61db0c87", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "13d900e8-b51b-5904-a13f-c1e52b3a623e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159140Z", "creation_date": "2026-03-23T11:45:31.159142Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159148Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6496601ffcf0b20318e0b30958b8d2034604884c8e4f418c1262e31637bff6d1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "13e02b56-cce9-5d64-9bc8-58d126ff8b1c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456694Z", "creation_date": "2026-03-23T11:45:30.456697Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456706Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a92d2736c8cd99195a1ef4d0d9a3412bee481acf585944e3b5946b465361a3e7", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "13ed4d8b-d4b7-560a-8efb-1d38a806cdb8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977333Z", "creation_date": "2026-03-23T11:45:29.977336Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977344Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "455bc98ba32adab8b47d2d89bdbadca4910f91c182ab2fc3211ba07d3784537b", "comment": "Vulnerable Kernel Driver (aka netfilterdrv.sys) [https://www.loldrivers.io/drivers/f1dcb0e4-aa53-4e62-ab09-fb7b4a356916/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "13f2af91-cd0f-59c0-a9cf-e37ff2460399", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150176Z", "creation_date": "2026-03-23T11:45:31.150178Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150184Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "23641b9366567f6f8543853b84d8c97d818d848b056e776bb1cafcfecd22bc05", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1403247d-f2d5-5609-b5cb-26c195da03cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613928Z", "creation_date": "2026-03-23T11:45:29.613930Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613935Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3de51a3102db7297d96b4de5b60aca5f3a07e8577bbbed7f755f1de9a9c38e75", "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "140d8201-8d8d-582f-9aff-25aafe5b9440", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606008Z", "creation_date": "2026-03-23T11:45:29.606009Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606015Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1b00d6e5d40b1b84ca63da0e99246574cdd2a533122bc83746f06c0d66e63a6e", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1414c3db-ab57-5b5c-8025-4208058bcc41", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973450Z", "creation_date": "2026-03-23T11:45:29.973452Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973457Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cc687fe3741bbde1dd142eac0ef59fd1d4457daee43cdde23bb162ef28d04e64", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1415d079-b077-5e35-9e0a-e7134a8010d4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619558Z", "creation_date": "2026-03-23T11:45:29.619560Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619565Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f1f345591efe74fd12e706132939f51963eb39dd0a1db556123c3e850c60fada", "comment": "Insyde Software dangerous update tool (aka segwindrvx64.sys) [https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Program%3AWin32%2FVulnInsydeDriver.A&threatid=258247] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "142db16a-a14d-59b9-975b-987aaf865836", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967622Z", "creation_date": "2026-03-23T11:45:29.967624Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967630Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5c206b569b7059b7c32eb5fc36922cb435c2b16c8d96de1038c8bd298ed498fe", "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "142e5b48-476f-55e9-8f79-dcdcbf407261", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818295Z", "creation_date": "2026-03-23T11:45:30.818297Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818302Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9917144b7240b1ce0cadb1210fd26182744fbbdf145943037c4b93e44aced207", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "143c1959-80d3-5468-a6e6-c1d3eed062f9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147893Z", "creation_date": "2026-03-23T11:45:31.147897Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147906Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fc4dfcb9ddcc41909bf99e4c197da3778afcdf6431862177c289b6200da0ebe8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "144d9b36-3c42-5036-92e6-17a12035fd58", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466608Z", "creation_date": "2026-03-23T11:45:30.466611Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466620Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aafa642ca3d906138150059eeddb6f6b4fe9ad90c6174386cfe13a13e8be47d9", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "14620831-106c-5eb4-87bb-da564c6a8790", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816967Z", "creation_date": "2026-03-23T11:45:31.816969Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816975Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a54e9e7fb0dd039ffd724cc5203ddcc1dd898c5224ae74e2327d3fa97a309643", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "14665a92-845b-5321-9eab-331660560bad", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150356Z", "creation_date": "2026-03-23T11:45:31.150358Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150364Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6f571267b63865e23f63bd549e3309f07fb8a5b4421ad6ca1d04eae3d3e90394", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "146b9a56-8b03-55d4-af11-7bbbb9dfe5b4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982940Z", "creation_date": "2026-03-23T11:45:29.982948Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982953Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5e27fe26110d2b9f6c2bad407d3d0611356576b531564f75ff96f9f72d5fcae4", "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "146d50a3-c782-53bf-9ba9-905f5712b1d5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817551Z", "creation_date": "2026-03-23T11:45:31.817553Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817559Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9341856f3855acf21a36fa25c9539dade2182a029ebac116811eb49abff9cbe7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "146f645d-46b6-5c6f-97db-0da4bc7025c6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817311Z", "creation_date": "2026-03-23T11:45:30.817314Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817319Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "84683c840af3440b8b40d34088ec852e092f882ca558409d8338f1f5f46d2741", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "14786b4d-b75b-5b06-8270-c6f57694cc25", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455247Z", "creation_date": "2026-03-23T11:45:30.455251Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455260Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "651ffa0c7aff7b4a7695dddd209dc3e7f68156e29a14d3fcc17aef4f2a205dcc", "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1478990a-6173-5836-b2d1-033d954adc0e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979116Z", "creation_date": "2026-03-23T11:45:29.979118Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979124Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dcd5404c83f74f0b7a8d0735174af78782aaa99d2b5b5b24f44c48b295a2ba31", "comment": "Vulnerable Kernel Driver (aka LHA.sys) [https://www.loldrivers.io/drivers/eb07ef7e-0402-48eb-8e06-8fb76eda5b84/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "147ffe77-4c9a-5ceb-8b85-43b7d1a35d0d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140708Z", "creation_date": "2026-03-23T11:45:31.140710Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140715Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f26e088583f9a5f518c64c2406c70c90ff50142574389459a0da579448a8f0ea", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "14806960-67e3-573d-8cdc-bffe1470d7bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610581Z", "creation_date": "2026-03-23T11:45:29.610583Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610591Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8cf0cbbdc43f9b977f0fb79e0a0dd0e1adabe08a67d0f40d727c717c747de775", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "14825860-c440-5708-a424-6a93f8981c23", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611949Z", "creation_date": "2026-03-23T11:45:29.611951Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611956Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b8b94c2646b62f6ac08f16514b6efaa9866aa3c581e4c0435a7aeafe569b2418", "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1495dbe3-877c-5c16-afe6-09c53c8ebc3f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974801Z", "creation_date": "2026-03-23T11:45:29.974803Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974808Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "13002b14aa6e63dc7117e2969d038beb009dbd6093a4590c6913b426d773dea3", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1497784d-e0ed-5a05-bc0f-b3f605709cb8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481104Z", "creation_date": "2026-03-23T11:45:31.481108Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481117Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0c6bcd1ac8da860f8f9213d19df235669226f455f6a1fc0f975463085e59ad7d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "149a44bc-d5dc-5b73-97ac-292075977f5f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486934Z", "creation_date": "2026-03-23T11:45:31.486937Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486955Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fdf17b4b7f4f3fed37647e37bb85448bf06c3e07ea6663d758af1b8a84ea2ca3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "14aefbb1-5c8f-5b0c-8751-ae2d942f7925", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476932Z", "creation_date": "2026-03-23T11:45:30.476935Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476951Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5e789b6d535b49c66c658978099e50fa2f8d02c2511bdaf9358bb8e40bdcef8e", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "14afbff7-3dce-5ef7-a3d9-9dcbca00da51", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142827Z", "creation_date": "2026-03-23T11:45:31.142829Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142834Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "533527cc7c4a72ac5ca7be7b01df2989412bc820da29e3eac0fb24b3be5b8169", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "14b14343-29ad-5b4c-921e-372488ae9ead", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970729Z", "creation_date": "2026-03-23T11:45:29.970732Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970740Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9df2cfbe1c9e6f616726a88310a33bb856126fb490f7f0d16229d97dbb50ae2f", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "14b734b3-a959-5ccd-a96d-73d5f8a5df6e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976818Z", "creation_date": "2026-03-23T11:45:29.976820Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976826Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7131fedf0462c49e5060d3545f49a74d5f937ad84fc1a747a8a766f61a2958df", "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "14bcf3f3-b464-55fe-9b38-89ba68af65ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982068Z", "creation_date": "2026-03-23T11:45:29.982070Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982076Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2470fd1b733314c9b0afa19fd39c5d19aa1b36db598b5ebbe93445caa545da5f", "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/b03798af-d25a-400b-9236-4643a802846f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "14c1febc-aa56-50a6-b6ec-fc2ef883b207", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.478552Z", "creation_date": "2026-03-23T11:45:31.478556Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.478581Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "415a90c32f8b4651eb5c81cae348549d8792da1b9dac8fbefe0178667b947238", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "14cc30b4-746b-51cf-8a66-6d987602cc2c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835684Z", "creation_date": "2026-03-23T11:45:30.835686Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835691Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b6a14e072636da3560bc7d52ccf9c6c6706666eb7e813b422e88782ca1b4d838", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "14d06643-7993-59f5-b03a-d670d8fc33cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480168Z", "creation_date": "2026-03-23T11:45:30.480170Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480176Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f82cde6dc693a4ac8b485ac9225f2641141213f8333b0be8d7134d0139f17c26", "comment": "Vulnerable Kernel Driver (aka IoAccesssys.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "14db5509-3e34-5a9f-946a-27d4011c4f58", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617341Z", "creation_date": "2026-03-23T11:45:29.617343Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617348Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "321cc3f24a518c70fb537ee9472b1777d05727c649d5b6538082a971c40ddcbe", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "14de6487-6f53-50e3-8419-c512e4cb71b0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478760Z", "creation_date": "2026-03-23T11:45:30.478763Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478772Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4bef5f5160c6a981562597dda319f9a235c28d5beba5268a454f734500ec1f4f", "comment": "Vulnerable Kernel Driver (aka Tmel.sys) [https://www.loldrivers.io/drivers/1aeb1205-8b02-42b6-a563-b953ea337c19/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "14e9eaeb-27b8-5416-a2db-03d761558401", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144540Z", "creation_date": "2026-03-23T11:45:32.144542Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144548Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0dc9021f0c02e18f4c3357da42630adf515655b9473f93385c5c157efd5da4ac", "comment": "Malicious Kernel Driver (aka driver_4d8bc539.sys) [https://www.loldrivers.io/drivers/e7fd8ffc-ab37-4a7b-8dc9-fc7432fbacae/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "14ffc62a-9a7c-5143-b386-065e7d9c6c70", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614455Z", "creation_date": "2026-03-23T11:45:29.614457Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614462Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "30706f110725199e338e9cc1c940d9a644d19a14f0eb8847712cba4cacda67ab", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "15022bcb-7506-5cc8-bda0-a4d81bb9a593", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826296Z", "creation_date": "2026-03-23T11:45:31.826298Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826304Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "56b53c8e746727dbd14fabc55d09c4ddd9d8f6bf2f2f65870128436eaa2bd921", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "150d01b8-8c88-5a7d-933d-b63fef82cc02", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474033Z", "creation_date": "2026-03-23T11:45:30.474036Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474045Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "506ec3e8b28e52be36b89041bbcd9933b7b79eaf8a53594186813d0f60edebc9", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1537d4e2-7032-5295-b9e9-53219a730d0f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809962Z", "creation_date": "2026-03-23T11:45:31.809965Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809974Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d13637f79117ce08698aecc26dd7e2a84f85d83540d2eda6dda8828ac22ce982", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "153f511e-f15b-59ac-b8ae-9fe3e547d4d3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820564Z", "creation_date": "2026-03-23T11:45:30.820566Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820571Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "489c02d8102fc401010793d7388b59dc944a2e77cf4179424015cd863701b19b", "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "15404f1e-c16d-57be-af6f-256f1536565b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468500Z", "creation_date": "2026-03-23T11:45:30.468503Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468512Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d9c3857d2959a3eff45eefe43d8ed1c23bd6908ae8a9a7e2e4e402bbf3e6d3ec", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "154b9623-2e26-578e-91c6-d3a64f9a7510", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822564Z", "creation_date": "2026-03-23T11:45:30.822566Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822572Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0bfed811a8ae3fa634372f74f0d70de1e0183612e91f56ae034486571b55b88b", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1560ccbf-6109-526c-9d80-d33e25f73f59", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154726Z", "creation_date": "2026-03-23T11:45:31.154727Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154733Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b43dd0ad0664b038cbb94c4a8282b6f3a0fdd81d311a7960b484895a2846ef1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "15758380-ec92-5f05-b781-df1c2385e8cb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454623Z", "creation_date": "2026-03-23T11:45:30.454626Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454635Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "33bdaf3ab141db0f4c6a2c1f9fb047b4e5c6fa6ddc709d905efdd24c2b43041c", "comment": "Vulnerable Kernel Driver (aka atomicredteamcapcom.sys) [https://www.loldrivers.io/drivers/a02e1801-f6fb-41c3-a782-05fdbed44a3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1578159f-3d46-5dc7-bf47-556106d9ea36", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622793Z", "creation_date": "2026-03-23T11:45:29.622795Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622800Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "96a5b3cd7c1a6dda5b6f402e6c35ba535270467f56addc7448dbe4aa78428411", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "157ca590-e633-5fda-88e0-59f7ec2227ea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816065Z", "creation_date": "2026-03-23T11:45:31.816069Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816077Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8df573e666344fc1a1212c60c35cd2ab86b131f887c1d6dba74f452b691ae2d3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "157ea4da-eb7d-59d0-bd12-089b9ed30283", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820337Z", "creation_date": "2026-03-23T11:45:30.820339Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820345Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a29093d4d708185ba8be35709113fb42e402bbfbf2960d3e00fd7c759ef0b94e", "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "15824e4d-a332-5e06-9758-09f2e9990ca6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491469Z", "creation_date": "2026-03-23T11:45:31.491472Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491479Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d367b60a73402c6007a87e274c72e2e7c1a0d8e0f2304550b6a380833e2869c6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1587cc47-cbd4-51de-bdb7-3eb08867d2d5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466298Z", "creation_date": "2026-03-23T11:45:30.466301Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466310Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "082a79311da64b6adc3655e79aa090a9262acaac3b917a363b9571f520a17f6a", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "15981c82-3634-5c99-b303-05e8b96b952c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469867Z", "creation_date": "2026-03-23T11:45:30.469886Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469896Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "261969a99718fc68b576eb7b58dbdf7c7a781c8f4572b7a77a0be0eec4b32dc2", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "159b81ef-6fda-5a96-97c9-47533b1d70bc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822459Z", "creation_date": "2026-03-23T11:45:30.822461Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822466Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19f89530b8caf720c91c82977132bb1fb2afe695b426b51a1ae1b35570805f32", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "15a8ee87-b2f1-5591-acb9-d68975604258", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977712Z", "creation_date": "2026-03-23T11:45:29.977714Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977719Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f3efcf47681d9f96afcbc843a241c21a643b173c48270446f6fe634991a57847", "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "15b47584-370d-5500-886a-85b11f589c90", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143429Z", "creation_date": "2026-03-23T11:45:32.143432Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143437Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f9418b5e90a235339a4a1a889490faca39cd117a51ba4446daa1011da06c7ecd", "comment": "Vulnerable Kernel Driver (aka GPU-Z.sys) [https://www.loldrivers.io/drivers/0d6f1b0f-b94d-4254-b3bb-49de61246260/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "15ba9560-f528-5d70-bb3c-9d4b58c08e72", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968580Z", "creation_date": "2026-03-23T11:45:29.968582Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968587Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "36e3127f045ef1fa7426a3ff8c441092d3b66923d2b69826034e48306609e289", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "15c9c212-ee5a-5437-a41e-ceda62d0aa84", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604538Z", "creation_date": "2026-03-23T11:45:29.604540Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604545Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0376d4554b4828a7e3721327cb4c9977301c02eb8c50d10d376d3be623d71e3a", "comment": "Vulnerable Kernel Driver (aka STProcessMonitor.sys) [https://github.com/ANYLNK/STProcessMonitorBYOVD/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "15d0fd27-5812-53ba-a9d1-3bf24cf29c61", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468849Z", "creation_date": "2026-03-23T11:45:30.468852Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468859Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dc732dc22d0521fce33ed9c37359f702c985d2f35bc00209c3a4a076d6ff564d", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "15da0706-be96-50c0-b884-b192e24d2182", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974713Z", "creation_date": "2026-03-23T11:45:29.974715Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974720Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "886b28af7d2907a61720da0b6ea5d88a9a8512ceb120e88889f3fedd6bf313b4", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "15ff4712-7fef-566f-9e5c-7be664522f3d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973552Z", "creation_date": "2026-03-23T11:45:29.973554Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973559Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c4207c90c97733fae2a08679d63fbbe94dfcf96fdfdf88406aa7ab3f80ea78f", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "160086d3-7131-5956-a08f-3c7c1c54993b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621298Z", "creation_date": "2026-03-23T11:45:29.621300Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621306Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dde6f28b3f7f2abbee59d4864435108791631e9cb4cdfb1f178e5aa9859956d8", "comment": "ASUSTeK vulnerable physmem driver (aka AsIO64.sys) [https://www.loldrivers.io/drivers/79692987-1dd0-41a0-a560-9a0441922e5a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "16137621-a1e4-520b-b398-6845f3c6b427", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826318Z", "creation_date": "2026-03-23T11:45:30.826320Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826326Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b836d9305dd22387514c2e1507cf36646c11abf088088bc3f7e6ede49113fcdb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "16157b50-8677-5e5a-9679-385642f57acf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830926Z", "creation_date": "2026-03-23T11:45:30.830929Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830934Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c861174040ee2b28e4f79fa1d5829356f8e728a4913d41c217d15a1742636f32", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1616d13c-ab3f-5b1c-a737-6c63860c4a8b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472080Z", "creation_date": "2026-03-23T11:45:31.472084Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472093Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7b568c4e4c1c7dd554cfdf07bf0132f3465a4afeed5a9ce706edcf7860b26f0a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1627cb79-875d-5ba1-9838-c6cf4ed90875", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612699Z", "creation_date": "2026-03-23T11:45:29.612701Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612706Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1d5ded14ba7821a1021815e70399801bf87dadf9b9eb17325e3c918d53971c8e", "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1638ff1f-2991-5296-b351-7177cfd89412", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814747Z", "creation_date": "2026-03-23T11:45:31.814751Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814758Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eaf8ebd8ded6b90d0a18a8ba64a0e8204da93ff0012b119dc509fa4167b0098a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "163db276-568f-529a-866a-2c1977160f7b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477957Z", "creation_date": "2026-03-23T11:45:30.477960Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477969Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "633ae4822602acd252ff23e73ef4cc98130f3e3988ac459f7fda5102fcef5fce", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "163e58a7-c43c-5aa6-a62d-1cba52cd4c38", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144909Z", "creation_date": "2026-03-23T11:45:31.144911Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144917Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "924de0ef972f4db7bee5f24f32b558a8fe7e7fe7bfdcaca1c7996a0cb67e33b1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "164192c9-6a0d-5bcd-8512-65371ed020dc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622036Z", "creation_date": "2026-03-23T11:45:29.622038Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622044Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "92edd48dfac025d4069eb6491b9730d9d131b77cceaa480af9b3c32bc8c5e3a9", "comment": "Vulnerable Kernel Driver (aka AsIO.sys) [https://www.loldrivers.io/drivers/bd7e78db-6fd0-4694-ac38-dbf5480b60b9/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "16467a79-82c0-5c3d-a3dc-b5004a2c40f0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144499Z", "creation_date": "2026-03-23T11:45:31.144501Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144535Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8b82e0c2e81f47754b5af6a366725ed07b283699873663806d3a375e9fdcf9d2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1662785f-79ee-5539-9c0a-d839d9f11efd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834028Z", "creation_date": "2026-03-23T11:45:30.834031Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834039Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8f3c0232f43e940cf8e7dca3ef30eb202bfbcc5c22b1f4aec5eac93fa1bb8764", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "166aef44-aa84-596c-a4d9-11e00b2013c6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970157Z", "creation_date": "2026-03-23T11:45:29.970160Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970165Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "60f79c1b60a74b98b4f436d6bbbf5aeb9ce6febbe1443d318eea7581962b75a4", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1671a50f-38ac-5c13-9932-47f8a0f78862", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828359Z", "creation_date": "2026-03-23T11:45:31.828362Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828371Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e02a5f2f9e809dc4b43f1efd738468dd2d4c2ece245e79e53a573cdcdb4dcb6e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1675de5b-12f8-5adc-b16b-13199706802b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473295Z", "creation_date": "2026-03-23T11:45:31.473298Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473307Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0099c687fd570537a97703491cf4d58c0aa7263dffa84f04f563e0abf871235c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "16774b23-ec54-5703-ac9c-dcd7d5f51ded", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824794Z", "creation_date": "2026-03-23T11:45:30.824797Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824805Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ba3f881f656a0053081640d9381bc60cceec0d28f1b51ec9723fa8c1e4ab983c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "167be708-8035-5496-a8c5-252b56380848", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459129Z", "creation_date": "2026-03-23T11:45:30.459132Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459141Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f488500be4eaafba74b644be95d4c0523297770fb9bb78c449f643ab8d4a05d9", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "168b1cc9-0bd9-5ed7-ba20-e45fc7c816d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141646Z", "creation_date": "2026-03-23T11:45:31.141648Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141654Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "90a225fd5dde6ed4f02b93c7fb8d61a7b1e971c7be89bf03489d1bca3bb6b9fa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "168b7e66-f6bf-5741-a440-14bc17015155", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156449Z", "creation_date": "2026-03-23T11:45:31.156451Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156456Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2062cb33e7c5aa01bf0f5c4c78d3c5a3bd757492545ab4494cfc6ccf2efa2da8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "16914bf1-0cfc-5340-ba93-ef24964b80bc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155402Z", "creation_date": "2026-03-23T11:45:31.155405Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155413Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "02d5694e2727bcd840e3563570d5d565a153632c55c0bbd074f32693e728b17c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1699d89a-9bc6-5018-b20f-f485f9c2b6a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808320Z", "creation_date": "2026-03-23T11:45:31.808323Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808328Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "13a17b8a155e0cf0a8fef9db9067cebfb69849c2311d52a5790239ab41e4572a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "169b66db-e58c-5638-afdc-98f96ee1d54e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479260Z", "creation_date": "2026-03-23T11:45:30.479262Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479267Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "994f322def98c99aec7ea0036ef5f4b802120458782ae3867d116d55215c56e4", "comment": "Vulnerable Kernel Driver (aka VBoxTAP.sys) [https://www.loldrivers.io/drivers/f22e7230-5f32-4c4e-bc9d-9076ebf10baa/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "16a0ae15-4c80-509d-af4e-79c1bfb72b34", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827309Z", "creation_date": "2026-03-23T11:45:30.827311Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827316Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "08728784826b5240145fbfa4e6f98234690624cf0c2398eca40accda1c4f7e3e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "16ac11db-caa4-5526-add3-c7f991b5f3ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831371Z", "creation_date": "2026-03-23T11:45:30.831374Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831382Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c5b695c3336628a33aaa69c98551273a23021d0af663fec196aff2b80dc7636", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "16af6e9e-f2ee-59df-af86-56a6f5448285", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834756Z", "creation_date": "2026-03-23T11:45:30.834759Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834768Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c38fd37dd3694cdb2bab7ad1d403c25acf3caeefcf50f5b042a2ddc40a7b2f23", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "16be3c2d-df44-52b8-946b-e298e5629093", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467619Z", "creation_date": "2026-03-23T11:45:30.467622Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467631Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4d11419d2f1d6217481d12d3f3fcd13f693f7454f9fadcdeee72bdc0ce06c8e2", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "16ce02a0-7718-5dc9-9268-9a48004c2d74", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482090Z", "creation_date": "2026-03-23T11:45:31.482094Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482104Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "21949150dd0b15bcd883815e27a9b2bed0a4fc73efba1f821670ece3a4279002", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "16d4604f-f39c-5620-81a2-db3d7600332c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819532Z", "creation_date": "2026-03-23T11:45:30.819534Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819540Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "afda5af5f210336061bff0fab0ed93ee495312bed639ec5db56fbac0ea8247d3", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "16deda0c-c87a-58c7-82f1-64e64a77d4f7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604717Z", "creation_date": "2026-03-23T11:45:29.604719Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604724Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "16f47624-8a60-5c5a-b727-295198dec4aa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466378Z", "creation_date": "2026-03-23T11:45:30.466381Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466389Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "80e4c83cfa9d675a6746ab846fa5da76d79e87a9297e94e595a2d781e02673b3", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1703161e-a974-5c0c-b228-38797026deb8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481073Z", "creation_date": "2026-03-23T11:45:31.481076Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481086Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c9a5dd30173da95e9785b5ee1743c50762a113a6af841969d9131fb99e1e96e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "173410eb-0587-5203-8910-a6e99aacb7b5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818600Z", "creation_date": "2026-03-23T11:45:31.818603Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818611Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19f89225aa3867d60ac8a21553b642ae7e2d4559c21d685f46e2af81b3456f19", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "173b038a-72e5-5fd6-bb32-f6b37c9ed2f9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620332Z", "creation_date": "2026-03-23T11:45:29.620334Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620339Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "81939e5c12bd627ff268e9887d6fb57e95e6049f28921f3437898757e7f21469", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "174052fe-758a-5e3b-9a33-264f819c1bd4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159013Z", "creation_date": "2026-03-23T11:45:31.159015Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159020Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0c36c97d499a6e3154883aa0e19167aaae0cab01b83bb7a934a7ccbd077df6bc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "174b10e5-f4cc-5157-b01f-732267b2e8a0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827071Z", "creation_date": "2026-03-23T11:45:30.827073Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827079Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8895c23c7d39b59516ea2e411491862391d8aa41575cb58f9446ecd8b5551e9b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "17541b59-f6e9-58f7-be8c-4218994d736e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146452Z", "creation_date": "2026-03-23T11:45:32.146455Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146460Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "44a89f82bf3303553f9a9fdf136b4453af6d4c777c95da57c5b8baca8506c272", "comment": "Malicious Kernel Driver (aka driver_1a74c2bd.sys) [https://www.loldrivers.io/drivers/af153e7c-13fa-4a40-a095-00726ad6d783/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "176bf81a-6c4e-5ae3-b7e5-4098aa4ed547", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827613Z", "creation_date": "2026-03-23T11:45:30.827615Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827620Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e6cf6159f63328c4e05587c2acfb5548c3fe9318456c9d12f496f01a783310b2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "176d3ad5-b0d1-58fa-ab9f-98ba92b8ca05", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977979Z", "creation_date": "2026-03-23T11:45:29.977981Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977986Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3ba724dd78864cd527a99673fde1bf7f9f85f2415c91708e7380fbe5e2c085dd", "comment": "Vulnerable Kernel Driver (aka LgDCatcher.sys) [https://www.loldrivers.io/drivers/a8e999ee-746f-4788-9102-c1d3d2914f56/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "177548a7-5548-5218-9f2b-d3259104aa58", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148382Z", "creation_date": "2026-03-23T11:45:31.148384Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148389Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7883089fb4a9f67201bde1be555948a6c62aaa841c26f965db030e6588cd0d5c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "177cb25a-7a20-57cc-ab65-bb29a79b744c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616042Z", "creation_date": "2026-03-23T11:45:29.616044Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616050Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "65db1b259e305a52042e07e111f4fa4af16542c8bacd33655f753ef642228890", "comment": "Phoenix Tech. vulnerable BIOS update tool (aka PhlashNT.sys and WinFlash64.sys) [https://www.loldrivers.io/drivers/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "179a1c0f-1099-5ce6-809a-468f372de81d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825186Z", "creation_date": "2026-03-23T11:45:30.825189Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825197Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4d81fb2f41d806cc7c79ef782de045e78e3b6947dab42dc7888375fd93a781bf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "17a1e819-a606-5845-95ae-a81bc82b2787", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475796Z", "creation_date": "2026-03-23T11:45:31.475800Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475810Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0d7737e5674fbee8e70e0010d45ba9fff511a0af2bfe467a370c79b075fa6240", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "17b8f50a-2df7-5d65-b4e5-73e8028bd93e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835666Z", "creation_date": "2026-03-23T11:45:30.835668Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835673Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "339158f7636138c7e5cbd797ff300e60f765626f374d5175a4c1a5a59549e944", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "17bb0317-9868-5caf-9790-5b011e2aef8b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492037Z", "creation_date": "2026-03-23T11:45:31.492039Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492045Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "db71983915836c7bacf9765601439bdd1150d55a0eb110b3d566fa30b1c3178b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "17bcbb07-5889-586b-b299-430c4b8b397b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829734Z", "creation_date": "2026-03-23T11:45:30.829736Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829742Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ad05b7732ac6c21b0fa72690589d7541ce30a1fb874fbb20c4ccdb7cd580a364", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "17d150c0-ab95-5516-949b-5832e334ed49", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812527Z", "creation_date": "2026-03-23T11:45:31.812529Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812534Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "05c219060623be84d7d1beab607fa2a0a6389b89b8489397921dfb95d659f8cb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "17d4013f-6530-540d-8d28-fed50daadc04", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614144Z", "creation_date": "2026-03-23T11:45:29.614146Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614152Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d636c011b8b2896572f5de260eb997182cc6955449b044a739bd19cbe6fdabd2", "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "17dd6640-ee07-5841-827c-adca96d9f678", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604521Z", "creation_date": "2026-03-23T11:45:29.604523Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604528Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6ae4d36cf42a3bd1ddf9dd98794b401cd995bc519a12ffbde63e63b03a2424b3", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "17f460c2-a541-56e3-99b8-40fe50200abe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456335Z", "creation_date": "2026-03-23T11:45:30.456339Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456347Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a7416a7d9573f1d8873ec1b3109ec683e85412ba817e0001c3ab2d2c92043d4d", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1801d8f9-96e4-5c8d-88b0-b447c4a7aae5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480334Z", "creation_date": "2026-03-23T11:45:31.480338Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480348Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b1e499701948c14970c52586b63c26e2e180a593977ecaa34b28ed749b2a15ae", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "18063a5f-4ac2-54e7-b232-3ce21d0604f9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817979Z", "creation_date": "2026-03-23T11:45:31.817982Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817990Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0596f9e7390c439b1896ca0561d7cf9114f405b237da2b3fb06595a25f3cf0cd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "181b86d8-8476-59e7-b5d0-8c2616798ce7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619001Z", "creation_date": "2026-03-23T11:45:29.619003Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619009Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6a95f3c5cec52da45f9b74660b81226b4314ec18e761490140173998500ae015", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "182515f3-1a2c-505f-8328-e1a87c2d4f2c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478700Z", "creation_date": "2026-03-23T11:45:30.478703Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478712Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d0eb3ba0aff471d19260192784bf9f056d669b779b6eaff84e732b7124ce1d11", "comment": "Vulnerable Kernel Driver (aka Tmel.sys) [https://www.loldrivers.io/drivers/1aeb1205-8b02-42b6-a563-b953ea337c19/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "18295421-b601-52d1-b06a-e7aa6e8e0d1c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604337Z", "creation_date": "2026-03-23T11:45:29.604339Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604345Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7823833a22e11345c69d0c9687b3b75e0043492ed9546d6300a3f63017384538", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "182dcb61-f882-5f5e-bfc8-ade442ab6e2f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488656Z", "creation_date": "2026-03-23T11:45:31.488658Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488663Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5951c107f2e358e96be1341b367d38e2a644453ba349f497efcb543a1d89c8fe", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "182ea10a-b8cf-5a22-8dad-09f0269a484b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491061Z", "creation_date": "2026-03-23T11:45:31.491064Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491073Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7b3b9cbf31ed921cebf444b37d3e5a9c1b4edde8d69e1e33dbe9b4b0281ac406", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1833432c-cb1b-5089-a8ea-a00aef65c44f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488863Z", "creation_date": "2026-03-23T11:45:31.488865Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488880Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cbc56a38483d9fed6030a5f5b4b2a913ed09db6f4166ed18bb3ea2377947d39b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "183b323f-567b-51ba-b497-5d19adda5df4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825041Z", "creation_date": "2026-03-23T11:45:31.825043Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825048Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e76abdf16b55e8e568a2a70f89eaa57edcf57538c082054197f6a48a313386c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "183bd5de-b815-5e2a-b644-b00596788964", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834463Z", "creation_date": "2026-03-23T11:45:30.834466Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834475Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea97ff8adb3ca8abca38cefabc8885f220dc2e937b9af1aa37afdf3b1ca87797", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1853095e-019d-5e98-a5e8-a7b5fe2d0232", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459385Z", "creation_date": "2026-03-23T11:45:30.459389Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459397Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "db1dbb09d437d3e8bed08c88ca43769b4fe8728f68b78ff6f9c8d2557e28d2b1", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "185f5d80-f41c-5061-93df-721f71c369d4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619054Z", "creation_date": "2026-03-23T11:45:29.619056Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619062Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b1b708dd7b10616693fd6b56e0b47d9fa6b90f9db28cbf3893b815222e2fa2e5", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "18759823-b744-5986-874d-9db2951e6aed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615434Z", "creation_date": "2026-03-23T11:45:29.615436Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615441Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7fa5c326b294f4fc537207a27947c2fcbbfa4eabde1ba4727c92cd8613e0fc7f", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1875b6fb-099c-5b12-a371-719047524fd8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150194Z", "creation_date": "2026-03-23T11:45:31.150196Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150201Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "198ad963612c57f44158156a0142cc607d867fc7d478a0aaf711d0bdd131e2db", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "18867532-5a88-5a89-a010-a7db15a44a80", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975992Z", "creation_date": "2026-03-23T11:45:29.975994Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975999Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3a9e1d17beeb514f1b9b3bacaee7420285de5cbdce89c5319a992c6cbd1de138", "comment": "SystemInformer driver (aka systeminformer.sys, formerly known as kprocesshacker.sys) [https://github.com/winsiderss/systeminformer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "188c4aef-614b-503e-8a62-2505f8dfc3ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485135Z", "creation_date": "2026-03-23T11:45:31.485138Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485147Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e1a8f5f9657c32d55a36cae3071dd874b0504f645d37e633d65a313192075ee", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "188c502e-fe31-584d-9125-47d31962df38", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153942Z", "creation_date": "2026-03-23T11:45:31.153944Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153958Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1d70eb4feb73020f17d62933062b0bdb47aa2e236f868c2f2beb492810811f24", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "188d63e0-66f7-5911-aab0-fa797b425113", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145318Z", "creation_date": "2026-03-23T11:45:32.145321Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145329Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "507b07b0dc0e638b65b4a4d11a462b35439c746d42337b9888927bf994176102", "comment": "Vulnerable Kernel Driver (aka SeasunProtect.sys) [https://www.loldrivers.io/drivers/3a9ea9a6-e5e3-439a-b892-1f78dd990099/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1893c7d6-1896-5c6b-9f9c-7d87295dddfe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453753Z", "creation_date": "2026-03-23T11:45:30.453757Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453766Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b40db5bb6a76ca9aed98366dc19f0c31c50b3f0ac96e0f615e4c52abb6bb0cde", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "189ae851-081f-50bb-b7c1-ec5ff0f47672", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982818Z", "creation_date": "2026-03-23T11:45:29.982821Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982826Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c60fcff9c8e5243bbb22ec94618b9dcb02c59bb49b90c04d7d6ab3ebbd58dc3a", "comment": "Vulnerable Kernel Driver (aka ProxyDrv.sys) [https://www.loldrivers.io/drivers/0e3b0052-18c7-4c8b-a064-a1332df07af2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "189d3e7e-3e66-5788-a2e8-55d558a5de9c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816302Z", "creation_date": "2026-03-23T11:45:30.816304Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816309Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5fae7e491b0d919f0b551e15e0942ac7772f2889722684aea32cff369e975879", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "18a4d7e9-4210-500b-ab17-7ad4c85fd9bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610405Z", "creation_date": "2026-03-23T11:45:29.610407Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610413Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4d19ee789e101e5a76834fb411aadf8229f08b3ece671343ad57a6576a525036", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "18a75389-90d1-528a-ae72-23353bc13875", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470922Z", "creation_date": "2026-03-23T11:45:30.470926Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470935Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "683936955d7e3281573fcbaa149fc384a06dc4a12cd67ce601aba2f1a32b19c3", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "18a87291-bce2-5380-974e-a892e7d75199", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821051Z", "creation_date": "2026-03-23T11:45:31.821054Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821062Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d67133fb200fb009235f10e7f87674f627c65d1320b63d22dff10dc9efe00e41", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "18aa80c8-228a-5db4-84b2-164dab9da9dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.815629Z", "creation_date": "2026-03-23T11:45:30.815632Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.815638Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f30ecd4faec147a2335a4fc031c8a1ac9310c35339ebeb651eb1429421951a0", "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "18b8d519-5e8c-54c5-82cf-ab7ab90f922d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460350Z", "creation_date": "2026-03-23T11:45:30.460354Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460362Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "613d6cc154586c21b330018142a89eac4504e185f0be7f86af975e5b6c046c55", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "18c67298-9ca1-5c9a-8409-b253515f4e81", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615640Z", "creation_date": "2026-03-23T11:45:29.615642Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615648Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eae8045d43f16e33232fd8bd2399f48b14f8a6391c9fffe38960c03fee978b27", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "18e872fd-a45a-5812-941d-2608f99a740e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491984Z", "creation_date": "2026-03-23T11:45:31.491986Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491991Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e63fe1bfbbc1b8fade1fd13bac1504a82c5846a8abd9359ce90b6e0fecbbb7aa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "18eb6bf7-4b88-5622-9bd5-285a92b073f9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819140Z", "creation_date": "2026-03-23T11:45:30.819142Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819148Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ac7cd788581d6f8098b5d438546eb3584c1b08dbe7fd3b1ddc2a7295bd4dd16f", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "18f07e05-d597-5181-8e27-2732a91f055e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832443Z", "creation_date": "2026-03-23T11:45:30.832445Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832451Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a785bd53993312166463fd39b61d610cb304376d73846318646c54d34896f952", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "190daa73-097a-5f4e-97f5-d5b33f87e3ac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980585Z", "creation_date": "2026-03-23T11:45:29.980587Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980592Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e269b4cb9df863c31ae13012429f67a0f3cd81481025d35ce6531b33b63b5976", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1911593b-bfe5-5daf-9db9-204c3f44a6e8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473325Z", "creation_date": "2026-03-23T11:45:31.473329Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473338Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fef2b46b8a2ac3dd99373b45b3c55ebac2f87cd4b43ca5de2e06cfe88602431d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "19147c82-4285-569b-a634-5a13bf016abc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975497Z", "creation_date": "2026-03-23T11:45:29.975500Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975506Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "45799bfaea64e065a9b0c97f9f10f42c830d26e55fdcb354e39179d0993e9c7d", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "19167ee2-9e05-542d-8c61-3ca8a8fa470a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809417Z", "creation_date": "2026-03-23T11:45:31.809420Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809428Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "25291720e0ee3eaa62c5aec72ec920e776e1255cc64a7010c6c62533e391fa40", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1918a1ed-2664-570e-8969-831b3df24d18", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970176Z", "creation_date": "2026-03-23T11:45:29.970177Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970183Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f2e97fb72237dbbd8981d13a056dd3544c41d802efd129e1ea7e3f655de661b8", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "191bb992-58ad-5bde-9f2b-ff118d2c2f14", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808838Z", "creation_date": "2026-03-23T11:45:31.808842Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808851Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "be14867535e637d30d5778b2a96b6e8d2631046ac34ac7c92fe9936d09c4e062", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "192674a3-134e-5844-a2d3-65f95cfaefb1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830807Z", "creation_date": "2026-03-23T11:45:30.830809Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830814Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cbbe48826fae88adb74f5e7e77e1fbe192d9e0f05983d69565e54f9c846e9da3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "19365f62-ae05-5f88-a54c-9ea9c4e8940e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836630Z", "creation_date": "2026-03-23T11:45:30.836633Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836638Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "08d844b1ef804e6f4ebe072ba9f57feba5a063b97f19625a4012bf83b2929ea0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "195ed128-e7a2-5ce9-8199-ec3d788c8c19", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153648Z", "creation_date": "2026-03-23T11:45:31.153650Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153656Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "896b21cb5583cc9b0e32c490bf352dc6ffc2416edec79aeab0616829a13ccaa5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "19656c3f-d006-5dc2-ac09-d62816f75249", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975130Z", "creation_date": "2026-03-23T11:45:29.975133Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975138Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b1ac756e35f795dd91adbc841e78db23cb7165280f8d4a01df663128b66d194", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "196b6108-fa27-5bd9-8a45-4add3b144e47", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146692Z", "creation_date": "2026-03-23T11:45:32.146694Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146699Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d51d00127ddd4551fb1eafe14255715014944ad4c60eabb9e568c3ff98ff4a2e", "comment": "Vulnerable Kernel Driver (aka 8492937_2_Driver.sys) [https://www.loldrivers.io/drivers/c95a796a-a8f6-4cfa-bc42-4936ecb59091/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "19978ec1-6c20-5d2b-8a56-0e6291806ce2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466937Z", "creation_date": "2026-03-23T11:45:30.466940Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466956Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b8d3914b796832a576ed0c977db439c8a5d6df5d0608088c39c786ff81bc2f11", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "19a714e6-3b01-53cc-ae78-1c5482addd53", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829708Z", "creation_date": "2026-03-23T11:45:31.829711Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829719Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "560dbf29eb838763cbabcf378cd8e9f12b7b674df8bfbe7a299f1203c1b3e349", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "19b7adda-2c0f-5d0a-b70b-a908c47009e5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487649Z", "creation_date": "2026-03-23T11:45:31.487651Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487657Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "df95701164a0c5725ff99af1bbd0871083c7139a7683f0753eddfd584d84ba79", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "19cbbf30-419d-5429-996b-d634f00387c8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141820Z", "creation_date": "2026-03-23T11:45:31.141822Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141828Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6fa56c310f9214532d074abe3c37b73c483c16dc8680d0e16d5144e49c7ced03", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "19dbd962-119b-5630-8dc6-0985d81e6f9f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473143Z", "creation_date": "2026-03-23T11:45:31.473147Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473156Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b32096444234a6473f797834b61cec443aab2acbffacf0f7dac842e3c7c10825", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "19e0fd82-c6d4-5cb2-ae3a-219f024b9428", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.603996Z", "creation_date": "2026-03-23T11:45:29.603998Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604003Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d27af8f0bed1e4f4aeb2b20da89d0ffa1b7b5f7f14148cdf09e6444a0aa5bb1b", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "19ecd793-8d73-58f3-ae33-27d476eca21b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973965Z", "creation_date": "2026-03-23T11:45:29.973967Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973972Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c082514317bf80a2f5129d84a5a55e411a95e32d03a4df1274537704c80e41dd", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "19f077e2-2173-555e-8e13-960e42e56206", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468376Z", "creation_date": "2026-03-23T11:45:30.468380Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468390Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "68ea8d1bfabf37920686a0814c0bf47cbc4527543716fd94c0d3f23382e15081", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "19f498f3-b9a7-55ee-bf3b-556a5d4ed3e1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984034Z", "creation_date": "2026-03-23T11:45:29.984036Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984042Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7049f3c939efe76a5556c2a2c04386db51daf61d56b679f4868bb0983c996ebb", "comment": "Vulnerable Kernel Driver (aka SysInfo.sys) [https://www.loldrivers.io/drivers/84ccb68d-ce34-4aa2-98d5-7f473c2e1b07/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "19fce74c-69ac-5bd6-8630-2633f7db63fd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985467Z", "creation_date": "2026-03-23T11:45:29.985469Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985474Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "24395b622d4fd48864a50978ffd2b82fdded5189741a6deea9293cc075cd0c6b", "comment": "Malicious BlackCat/ALPHV Ransomware Rootkit (aka dkrTK.sys) [https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a08e9c2-aa2b-5a9f-b19b-932dbe08275a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487992Z", "creation_date": "2026-03-23T11:45:31.487994Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487999Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a7b66aa27c75ae2109da03c276bedce8a1c9d978929587f219d435068bc6fdc5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a0928c2-bb7d-5d97-98aa-99427c11779e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159439Z", "creation_date": "2026-03-23T11:45:31.159441Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159446Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9fcf57a17d44a6583153261a9c43211ad1d65a1f5ebda12cb1856629e774bdb9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a0b25fa-8131-54c0-b799-7c16ee00662f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492574Z", "creation_date": "2026-03-23T11:45:31.492576Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492581Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "14d3a333327078aa265028c992293ac58655d8376c3e5110519fbaa079b2fc36", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a0f9dbf-e318-5785-8cea-ce5820276cbd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617167Z", "creation_date": "2026-03-23T11:45:29.617169Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617174Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5", "comment": "Noriyuki MIYAZAKI's WinRing0 dangerous driver (aka WinRing0x64.sys) [CVE-2020-14979] [https://www.loldrivers.io/drivers/f0fd5bc6-9ebd-4eb0-93ce-9256a5b9abf9/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a2b70bc-1678-570f-9173-747a031380e1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983122Z", "creation_date": "2026-03-23T11:45:29.983124Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983129Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a1ee0b8a7974f3d11c10241027c0e7171c798a28589aae9ff8c5a86228642af7", "comment": "Malicious Kernel Driver (aka wantd_3.sys) [https://www.loldrivers.io/drivers/a22104a8-126d-449f-ba3e-28678c60c587/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a2bbcd1-73a6-576f-870e-74b7f61b09e0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455816Z", "creation_date": "2026-03-23T11:45:30.455820Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455829Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "80b2c44b2cdb74bafcc1271c5338f1d80f3621308b6c9d24d52bb28c8983677c", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a3a32b8-a832-597a-82ae-ed3eef3f84d7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982253Z", "creation_date": "2026-03-23T11:45:29.982255Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982261Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a7047cee090ddbd150d7337a9357e03ccea56f004a2d29ddb7b8a0636a396240", "comment": "Vulnerable Kernel Driver (aka KfeCo11X64.sys) [https://www.loldrivers.io/drivers/76b5dfae-b384-45ce-8646-b2eec6b76a1e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a3ca41e-25b6-565d-ac7e-04d0b3483ab8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146865Z", "creation_date": "2026-03-23T11:45:31.146867Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146884Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "abd10f102691ac30182a9ad827348cd480512a7f56fdbd9e450a8aaae2c837de", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a3ce5ab-06e8-5c07-9740-330dad25c761", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149222Z", "creation_date": "2026-03-23T11:45:31.149224Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149229Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "128c06b72d6dc977f4bb042ea1899be9ee0e8444f23bb87be606551c01e5adf8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a52585c-37ca-5252-af03-8302756c1a01", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608596Z", "creation_date": "2026-03-23T11:45:29.608598Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608604Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f4c6063550ccae04771484b5eb60b5be33d07cebfbc3caa47e5f369f9fb50fc7", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a5b8176-be27-5e53-9748-b0c93fc82ee0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463212Z", "creation_date": "2026-03-23T11:45:30.463215Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463224Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0b80a11802b4a8ca69c818a03e76e7ef57c2e293de456439401e8e6073f8719", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a5efa77-642e-5361-bd59-9092809ab5a4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622949Z", "creation_date": "2026-03-23T11:45:29.622951Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622957Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d6753d2e6cf2f11932b4fedd4362ab57651f8f3baa886eace22fd98a14ebc2e8", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a624cf2-d115-5acb-a507-21ae38161cbe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489827Z", "creation_date": "2026-03-23T11:45:31.489830Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489839Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2de8a42b61fcc910baaef045c02e34d5734c17362c4c9c59ebe31b09dca9501a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a64bf39-4827-5a24-a236-e7ef77383d92", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978562Z", "creation_date": "2026-03-23T11:45:29.978564Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978569Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea85bbe63d6f66f7efee7007e770af820d57f914c7f179c5fee3ef2845f19c41", "comment": "Vulnerable Kernel Driver (aka IOMap64.sys) [https://www.loldrivers.io/drivers/f4990bdd-8821-4a3c-a11a-4651e645810c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a668372-1b9e-5fea-9a7c-30facbfed65f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817004Z", "creation_date": "2026-03-23T11:45:31.817006Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817011Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "871699ac3fb68074ce6311aa3c73427f18c314c9e9d2591314479fd171b5de04", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a767f35-e879-541d-8dd1-ef6684b7e619", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822891Z", "creation_date": "2026-03-23T11:45:31.822894Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822903Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f3726da10f29b45473ea00b336648ce38b375a107f212e8d61a93d7140301e7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a7820ad-fbc1-5acb-8688-265b7c6a4835", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608033Z", "creation_date": "2026-03-23T11:45:29.608035Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608041Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b8eb26b6f79020ae988e4fb752dc06e1b6779749bf4f8df2872fc2b92bab8020", "comment": "Vulnerable Kernel Driver (aka tfbfs3ped.sys) [https://www.loldrivers.io/drivers/500e07cb-77c6-4e83-ae3f-73f70f1c10b5/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a78f9a1-58ad-5bb3-b213-06fc39e4246e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486638Z", "creation_date": "2026-03-23T11:45:31.486642Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486651Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3df955b65cf8868501e7584ea4c444c8ec848c338bf1ce0174f7284f82b2e458", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a7933cd-ecfb-51ad-93e2-4913d3fc1da8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455417Z", "creation_date": "2026-03-23T11:45:30.455420Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455429Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8bf84bed9b5fa4576182c84d2f31679dc472acd0f83c9813498e9f71ed9fef3e", "comment": "Vulnerable Kernel Driver (aka mhyprotrpg.sys) [https://www.loldrivers.io/drivers/181b89e5-4bdd-4e95-b1bc-a294a4adfb29/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a8a6c3d-eeaf-5567-bfa6-d648744181b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453041Z", "creation_date": "2026-03-23T11:45:30.453045Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453054Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c08581e3e444849729c5b956d0d6030080553d0bc6e5ae7e9a348d45617b9746", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a8e0509-4ee8-5f29-9618-7fb09c152d7f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475601Z", "creation_date": "2026-03-23T11:45:31.475605Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475615Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "027e22a238d1033467ec4800479392e27f4e5fd4a50785f96a32722d15df5acf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1a91b4bb-e231-5476-b96e-68d0e2a130b8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.478833Z", "creation_date": "2026-03-23T11:45:31.478837Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.478846Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e4060fe83f89ef7c94f52a20dbbcb8e6303cb9f493d622b7785763612f9d17e0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1ab7195c-97f4-5a9d-8fe8-abb26d1aacf9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828275Z", "creation_date": "2026-03-23T11:45:30.828277Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828282Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5d4da5704e1c198d6925473d42c11932485dfcb60d59dbfdd2f9459e3589286f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1ab8f1a7-8ef9-5fb6-82c6-6ee89df0ba1d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483147Z", "creation_date": "2026-03-23T11:45:31.483151Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483161Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4216ccb7c3d275f6ca2e093ccfc50b8e4e76709d80ed723eb2d9d64aa0e90d87", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1abd5bc8-7649-5b4d-abf2-2717cf6ef1ac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466664Z", "creation_date": "2026-03-23T11:45:30.466667Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466676Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4bca0a401b364a5cc1581a184116c5bafa224e13782df13272bc1b748173d1be", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1ac73fb4-7e4c-5f43-8dd8-24341e7d9502", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819428Z", "creation_date": "2026-03-23T11:45:30.819430Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819436Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d54ac69c438ba77cde88c6efd6a423491996d4e8a235666644b1db954eb1da9c", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1ac96720-2eeb-59e3-8927-f2904b1369f9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983369Z", "creation_date": "2026-03-23T11:45:29.983371Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983376Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "97030f3c81906334429afebbf365a89b66804ed890cd74038815ca18823d626c", "comment": "Vulnerable Kernel Driver (aka kbdcap64.sys) [https://www.loldrivers.io/drivers/6a7d882b-3d9d-4334-be5f-2e29c6bf9ff8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1ad0a164-fba5-55ce-b1a3-905ca6fbd8a4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465511Z", "creation_date": "2026-03-23T11:45:30.465515Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465523Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b34e2d9f3d4ef59cf7af18e17133a6a06509373e69e33c8eecb2e30501d0d9e4", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1aebafa2-5e96-584c-94f6-5fae7cfbfc9e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969076Z", "creation_date": "2026-03-23T11:45:29.969078Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969083Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f17e5cfc5bdd74aff91bfb1a836071345ba2b5d1b47b0d5bf8e7e0d4d5e2dbf", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1b099f55-0316-5967-95d4-04b2190aa9d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604374Z", "creation_date": "2026-03-23T11:45:29.604376Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604381Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "761ca3aee052d4a34f500dee578ef55a4e481b1d6096eb3573f3f828ecfe4f89", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1b0cd3ea-e28e-5b2a-a040-c14bf801a7e1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819784Z", "creation_date": "2026-03-23T11:45:31.819788Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819797Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d8a2e2d3b845d658150e656153e40e6c741cdaa2627ed940e9875ca42472ba82", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1b175542-d22b-5431-8403-43467b2826fb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489004Z", "creation_date": "2026-03-23T11:45:31.489006Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489012Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1dd2feaa9b18b3ba4187167557107e5bc331837f607e1a7adcbc7192700d1b80", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1b17bc16-e852-5ee3-a3d1-e63ed949fad3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473630Z", "creation_date": "2026-03-23T11:45:30.473633Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473642Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2c27ad462ed0e16252b834cf0c76b1c5085ad9b7b6a13f67d1d2471177f1b177", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1b2f0f9e-5f0f-57b9-9586-6a0c4076a36b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982713Z", "creation_date": "2026-03-23T11:45:29.982715Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982720Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "97cada65b735f3eece349c7b7021c4469d5a9fb3cf8b5e2ac187006469ffbc98", "comment": "Vulnerable Kernel Driver (aka SysDrv3S.sys) [https://www.loldrivers.io/drivers/cf49f43c-d7b4-4c1a-a40d-1be36ea64bff/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1b34914b-2ad9-5fcd-90bd-828c893d5883", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830825Z", "creation_date": "2026-03-23T11:45:30.830827Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830833Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "197ff39f37973f12175188c41007cb555f569a310f36ce3a613a0989385275a5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1b3b66b5-4ede-5845-944e-5c0b7c153d4d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145218Z", "creation_date": "2026-03-23T11:45:31.145220Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145225Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "529b3ad0f683ce1d5dc236692c68f2c990aa09d816fd4d9e35a1e94a8aaf417a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1b4bc9d3-46f5-5ce1-9f9e-c2000432c34b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489551Z", "creation_date": "2026-03-23T11:45:31.489555Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489563Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a43eda51f8bea611289c52ca96ec4f703c895d1cba72232fe8a7388945ea6dfd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1b4d7b86-08d0-55d4-9615-1e09bbcb3118", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145893Z", "creation_date": "2026-03-23T11:45:31.145897Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145905Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4653fb7161bc0f5af4057778d8f9d5aa865923db472220479033448a403c007f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1b61eb18-4d0c-547f-ad60-52e1234277bc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973906Z", "creation_date": "2026-03-23T11:45:29.973908Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973913Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "adc10de960f40fa9f6e28449748250fa9ddfd331115b77a79809a50c606753ee", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1b675bb8-aa03-5acf-8bb0-7b6f92a5f316", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817365Z", "creation_date": "2026-03-23T11:45:30.817367Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817372Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ce5523dea824b2f2d4d442a9016d0f1b7cc52dce58a1740f4c43fd28e1c6dcb", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1b736bdf-8e4f-5d39-9022-99852b2f46d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818066Z", "creation_date": "2026-03-23T11:45:30.818068Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818074Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6ef0b34649186fb98a7431b606e77ee35e755894b038755ba98e577bd51b2c72", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1b7abaea-b19e-54f3-b5e0-148ad62060d2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458250Z", "creation_date": "2026-03-23T11:45:30.458254Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458262Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "49ef680510e3dac6979a20629d10f06822c78f45b9a62ec209b71827a526be94", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1b7af6a4-bb22-5935-8d9a-c28de969b594", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622562Z", "creation_date": "2026-03-23T11:45:29.622564Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622569Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "72c0d2d699d0440db17cb7cbbc06a253eaafd21465f14bb0fed8b85ae73153d1", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1b8bdd30-526f-51da-8967-b823cc336470", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826586Z", "creation_date": "2026-03-23T11:45:30.826588Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826593Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "072397e33f2bb44596c3c188a570b18628921456621b0eba8f6ba4b71035064c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1b8fa0de-40b4-54fa-9223-780a6c48c933", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459460Z", "creation_date": "2026-03-23T11:45:30.459463Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459472Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1a0f57a4d7c8137baf24c65d542729547b876979273df7a245aaeea87280c090", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1b9adada-ebd4-5a46-b917-3049f1f02a50", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817959Z", "creation_date": "2026-03-23T11:45:30.817961Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817966Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "53f2bfe03b5d74c9db8c6a849e5a4690cba9a9861dd98c204865000506d8ce67", "comment": "Vulnerable Kernel Driver (aka stdcdrvws64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1ba871cc-f886-537f-b30e-ec3fca2c090b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976764Z", "creation_date": "2026-03-23T11:45:29.976767Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976772Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "db0b5c434ddc7c97505a8be24431e9fbe484c2113df4ddf061aee91c35eab8b6", "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1bac03e4-bc3c-516b-af7f-bea3b49a2065", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824952Z", "creation_date": "2026-03-23T11:45:30.824955Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824966Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dc22bbc782458f47244c9a2875b42f5916d87b4ca813eb20f1c88a2e444c36ac", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1baca231-cc28-54de-8e3a-daff1b35ac21", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615714Z", "creation_date": "2026-03-23T11:45:29.615716Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615721Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ce89124d29b5e562bbcc2f07b1dfac0f22dd66ad3deb32dd32c8c138a3739ef8", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1bb75656-8ea6-5f19-8654-aae24887f9eb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458898Z", "creation_date": "2026-03-23T11:45:30.458902Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458910Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "11b0e5d7971aaa2a6c4621f068af390f291fd796c202369605c2e0c7940f50ee", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1bb8521e-2cd0-5496-8637-dfd4b0e2affb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472723Z", "creation_date": "2026-03-23T11:45:30.472726Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472735Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c8f0bb5d8836e21e7a22a406c69c01ba7d512a808c37c45088575d548ee25caa", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1bb94e93-3293-568c-bd63-e2f0891ba078", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472317Z", "creation_date": "2026-03-23T11:45:31.472321Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472330Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "960af5beee5b2f08932334d7387d7bf50bfb02885b12f2c5ade8edc83d5eca0a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1bbbecd3-d5db-5980-9652-e817e527c9cc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981489Z", "creation_date": "2026-03-23T11:45:29.981491Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981496Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c640930c29ea3610a3a5cebee573235ec70267ed223b79b9fa45a80081e686a4", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1bbd4c1d-6ff1-5a05-ab0a-d2451ca0977a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487755Z", "creation_date": "2026-03-23T11:45:31.487757Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487763Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "67483af4d2a341aa05f09ddaff08d42ae8206a08707bc27cddab41622a5d8fd5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1bbd845a-45de-598a-9baa-bf43f2320a53", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614058Z", "creation_date": "2026-03-23T11:45:29.614060Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614066Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "525d9b51a80ca0cd4c5889a96f857e73f3a80da1ffbae59851e0f51bdfb0b6cd", "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1bc09a8b-1523-5450-8f66-b1f802d62c16", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831476Z", "creation_date": "2026-03-23T11:45:30.831479Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831484Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fc288b9b40e3d0dbc5fa3df046e4ce61f1bd75086bb28233081c9cb6138d9103", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1bc360f3-955e-5043-bc18-2e995fb89da2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817070Z", "creation_date": "2026-03-23T11:45:30.817072Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817077Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7a1105548bfc4b0a1b7b891cde0356d39b6633975cbcd0f2e2d8e31b3646d2ca", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1bc4e500-1aa6-56ce-b677-5852a3efc0a7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145307Z", "creation_date": "2026-03-23T11:45:31.145309Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145315Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c0d52f1953a3edf62f454c7bdcfa714f53a04e475e4b08696763e2948edf82fb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1bcb951e-d64b-53e0-ba14-242cb738eac4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154622Z", "creation_date": "2026-03-23T11:45:31.154623Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154629Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5e625e5a2b33bb6051990b275e7a2381bc6cb8606504bfde5eb6dee08b24b6f6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1bcbd8cb-d97d-52a0-95df-63d11648176f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833174Z", "creation_date": "2026-03-23T11:45:30.833178Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833186Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "17b055841b41b0c1bc4348ff8a35f95c9e9e69015dfb479f757f20173cb49123", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1bdc5030-e696-5a15-8a22-c757fb258c60", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969151Z", "creation_date": "2026-03-23T11:45:29.969153Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969158Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2732050a7d836ae0bdc5c0aea4cdf8ce205618c3e7f613b8139c176e86476d0c", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1bf6e305-8e43-57b6-80a4-c242b5ba4881", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616521Z", "creation_date": "2026-03-23T11:45:29.616525Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616533Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "38d87b51f4b69ba2dae1477684a1415f1a3b578eee5e1126673b1beaefee9a20", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1bfad0c2-7782-57f0-a8d7-947e6025d272", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815419Z", "creation_date": "2026-03-23T11:45:31.815421Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815426Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cff54479f814186be34225d85bc0a8106f6db9e0a250c3d8743c3d683a3bc695", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1c0c52b3-548b-5b83-b692-846bf02e1202", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150889Z", "creation_date": "2026-03-23T11:45:31.150891Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150896Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4e553ee6a6caa39a96105a89518f69a891ff42defa190784376205b0ff824050", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1c0f20d4-8602-59a4-8b7f-c440733e7405", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976318Z", "creation_date": "2026-03-23T11:45:29.976320Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976326Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9bb09752cf3a464455422909edef518ac18fe63cf5e1e8d9d6c2e68db62e0c87", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1c158798-8f32-530b-8842-5c2aede4c5f8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979256Z", "creation_date": "2026-03-23T11:45:29.979258Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979263Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cb57f3a7fe9e1f8e63332c563b0a319b26c944be839eabc03e9a3277756ba612", "comment": "Vulnerable Kernel Driver (aka d2.sys) [https://www.loldrivers.io/drivers/d05a0a6c-c037-4647-99ac-c41593190223/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1c1f9c60-0057-5b73-933d-11a4f4631f2e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816474Z", "creation_date": "2026-03-23T11:45:31.816477Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816485Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1308161256400a94d7314c6adbba7de8b5fe0002e60a8504f5382cc2fa366658", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1c35c763-de95-5287-8880-61f7f69c9f0d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458750Z", "creation_date": "2026-03-23T11:45:30.458753Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458762Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "52c7b29023ac2a98b7a9c73de790d820d3d6d095bea0b077d4dad53fa97b0731", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1c36de56-0340-57a6-b3fe-061786879770", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980532Z", "creation_date": "2026-03-23T11:45:29.980534Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980540Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7070ee6dd615538ca6a701e7bdc2c23a19b84ae8ca5f9edc6307fef47eb05abb", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1c453ef8-654d-59af-aacc-b7ea0e17c893", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471742Z", "creation_date": "2026-03-23T11:45:30.471745Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471754Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eaa5dae373553024d7294105e4e07d996f3a8bd47c770cdf8df79bf57619a8cd", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1c4c0c0a-abc8-55ee-9121-0c85a70395f7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812063Z", "creation_date": "2026-03-23T11:45:31.812065Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812071Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "284287b99fc92f7700c23bfcb78eb61d3101bd0767989e973d03e42bb67a660a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1c63b841-f1bf-556a-9fb9-5c4612094386", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483784Z", "creation_date": "2026-03-23T11:45:31.483788Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483798Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5d11c772a4b7ee2748f1da5ddab4960ae5751b4b4624399cda777af923ccfbbc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1c655c7c-67f9-5c50-b40f-5c47c5b12fa2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978650Z", "creation_date": "2026-03-23T11:45:29.978652Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978658Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "911e01544557544de4ad59b374f1234513821c50a00c7afa62a8fcca07385b2f", "comment": "Vulnerable Kernel Driver (aka magdrvamd64.sys) [https://www.loldrivers.io/drivers/cfd36b2e-cf96-498e-aeb6-ee20e7b33bbb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1c6f59b4-ac34-5c2a-895b-c15b51c12200", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826049Z", "creation_date": "2026-03-23T11:45:30.826052Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826061Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c764301c3ff5279d06ffd3b6a3180c9da38c3ae49d7eff8601835dabc8a9db99", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1c7efbca-a654-5c16-b872-c587fd4317ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612793Z", "creation_date": "2026-03-23T11:45:29.612795Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612800Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e5e4dc1a918e201ec2cf02a036e4dd03dd04dfd179091c8adfbc6745eb830f2f", "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1c8af134-24cc-5972-97f1-717aea407f34", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810433Z", "creation_date": "2026-03-23T11:45:31.810435Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810440Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2be2c63aa1b437982d5ccede27644702a7edd189e3c498051030c6a7ace15a0b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1c8ef31b-a90b-5290-8142-65f2c37577b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821467Z", "creation_date": "2026-03-23T11:45:31.821469Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821475Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1582c2e29c20e43e3640f2054de2d06afdcb89524bf467b78a4a0ae747ccb9e9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1c9cdade-2732-55f2-ade1-274c20eb316d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823695Z", "creation_date": "2026-03-23T11:45:31.823697Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823703Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e9efab0c988bf7577596ad8ef753ab784a46c44455e7b9395e10622d3e9a80b3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1ca7ba84-f9f5-5e03-8177-b2b5174007c7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985720Z", "creation_date": "2026-03-23T11:45:29.985722Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985728Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9ac6d632f61d9abe287616ade35f555cd8cf5b91adda382c5ced0cbae468b0e7", "comment": "Malicious Kernel Driver related to WINTAPIX (aka WinTapix.sys and SRVNET2.SYS) [https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1cab13d6-3a8e-5c07-9db0-8ab8f167e094", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975148Z", "creation_date": "2026-03-23T11:45:29.975150Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975156Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "af1011c76a22af7be97a0b3e0ce11aca0509820c59fa7c8eeaaa1b2c0225f75a", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1cc84bcf-b33f-5132-ab81-9c9a8d799815", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831882Z", "creation_date": "2026-03-23T11:45:30.831884Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831890Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8120ccba85fa029f3ad4a6498a573aa8ceb3bbde691a41da550ef87ba57f0d14", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1ccb5a5b-d54e-52e3-9a08-211f88fbd137", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816291Z", "creation_date": "2026-03-23T11:45:31.816294Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816302Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1b36f5995cda260348a3c01015e681432e1e363b2c15a42a8cedc9cc26a143b1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1cd329c7-49c1-5afb-b642-cc31e32e7701", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479277Z", "creation_date": "2026-03-23T11:45:30.479280Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479285Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cfa28e2f624f927d4cbd2952306570d86901d2f24e3d07cc6277e98289d09783", "comment": "Vulnerable Kernel Driver (aka VBoxTAP.sys) [https://www.loldrivers.io/drivers/f22e7230-5f32-4c4e-bc9d-9076ebf10baa/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1cdd33b6-22b1-5f32-be69-fad90ac6154b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487272Z", "creation_date": "2026-03-23T11:45:31.487274Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487280Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "679ad546f6c631471cf2590db7f9fdde7b8df2d1883b673a1ab739f975238200", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1ce2e860-bc84-593c-8249-77835115f9ad", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816508Z", "creation_date": "2026-03-23T11:45:30.816510Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816516Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8e1f3b15e4e5003a563bf8742558f5dc48fd0fe20238efe759001bf226f234ff", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1cfdb981-6005-57ec-9f8f-d85825095c4b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474741Z", "creation_date": "2026-03-23T11:45:30.474744Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474753Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "158f9e2bcec73e821d5df17c1d5f9f46f23ecd9f6cf101588578235240f5cca0", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1d087936-25d8-5891-8488-7bde0a489e4e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823502Z", "creation_date": "2026-03-23T11:45:30.823504Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823509Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6f36a82220bf47ed3a0fe4d33db7c9f22f1e9906930dad1609f15c8c74c1d402", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1d108049-dedb-591e-be69-72fbaccf90ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475895Z", "creation_date": "2026-03-23T11:45:30.475899Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475907Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c190e4a7f1781ec9fa8c17506b4745a1369dcdf174ce07f85de1a66cf4b5ed8a", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1d1443ce-3788-5263-8bf5-0ec1e04a2f66", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481414Z", "creation_date": "2026-03-23T11:45:30.481417Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481425Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ec7af309a9359c332d300861655faeceb68bb1cd836dd66d10dd4fac9c01a28", "comment": "Vulnerable Kernel Driver (aka phymem_ext64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1d216cbb-342c-5b21-b9c5-b9f645a5a64f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833910Z", "creation_date": "2026-03-23T11:45:30.833913Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833922Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "563684a67bba92fc286df805f6a1e8084ba49517ff904544885b06f149ea13ce", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1d231e1e-8909-5deb-82f0-05d99f7e20a9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142772Z", "creation_date": "2026-03-23T11:45:31.142774Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142780Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b29023164d31da561b5c91c75f22377b9f0b8ded0b4b8b049a77e06b6a1ec24", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1d26770e-b3fd-576e-b143-a2766abce929", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458635Z", "creation_date": "2026-03-23T11:45:30.458639Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458648Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cf2ea0e4d21d3774bbacf10a14c75583b448829f87a90b869678fbc4de9b2a99", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1d3c2aff-ebf2-5472-bb52-97174bc86c15", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976192Z", "creation_date": "2026-03-23T11:45:29.976194Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976199Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1d3d62e1-49f9-57b4-add9-46f50b745586", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459709Z", "creation_date": "2026-03-23T11:45:30.459712Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459721Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "554bf34bde5e7c86fc463496d19a4369d911ccad90e3c684855192cd677641c4", "comment": "Vulnerable Kernel Driver (aka viragt.sys) [https://www.loldrivers.io/drivers/39742f99-2180-46d7-8538-56667c935cc3/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1d446710-8318-5ef1-acfe-6fb7e8565124", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821316Z", "creation_date": "2026-03-23T11:45:31.821320Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821328Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "820022d1438b3b41578a556cc16c149f11c06bbee4dd31ef605cbec0fe7e4618", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1d4e49cb-7181-5830-b4ce-f76303ae36e3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.986119Z", "creation_date": "2026-03-23T11:45:29.986121Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.986126Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "625fce937dd4fed61bc3a0475e10b6f05d9061c99b5335bf3f33dc43511300b3", "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1d56f6b5-c75e-5eaa-84de-a251561e8e81", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495133Z", "creation_date": "2026-03-23T11:45:31.495135Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495141Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6d2298b33a526068d60e9964778cdf7b0467e0c272c89e7f647f91df04cfb2aa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1d637982-ac56-5c8a-80dd-83cb4f8eb2b1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967206Z", "creation_date": "2026-03-23T11:45:29.967210Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967218Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eb6f186c9bf73b0efd227d99e09659c321f0414bda568e99ee9a3863dc1a380d", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1d6d53ac-8ed7-5ee2-90be-009239ee6e14", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154996Z", "creation_date": "2026-03-23T11:45:31.154998Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155003Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3b08e1ce175b043fe35518554c6e9d9645cd4f454a76bd38303a0237de73e86c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1d6eb45d-59bd-568f-8eb7-991a4f20b2cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622633Z", "creation_date": "2026-03-23T11:45:29.622635Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622641Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "673b63b67345773cd6d66f6adcf2c753e2d949232bff818d5bb6e05786538d92", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1d792f90-9a2e-5c69-bbb8-21d368b944b0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150374Z", "creation_date": "2026-03-23T11:45:31.150376Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150381Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e659535a0d408d81ffffe237c17a21f30def814136bdf391fe73564fb131a8ab", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1d7f8b5d-903e-5bb7-bd8b-a92a48371f50", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829911Z", "creation_date": "2026-03-23T11:45:31.829913Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829919Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "001a03bdec4bf659f732b2d858e1a70b40446a455bc37d8d4e5c935f3ef32358", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1d802545-1d7d-5510-b8f6-4f599ee02042", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969309Z", "creation_date": "2026-03-23T11:45:29.969311Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969316Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d5c4ff35eaa74ccdb80c7197d3d113c9cd38561070f2aa69c0affe8ed84a77c9", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1d81ec6a-22df-583d-bcc7-192b72381ac7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615290Z", "creation_date": "2026-03-23T11:45:29.615292Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615297Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f210a62de46c5acb868a083465b94287331ec28acd3b269e64ab6c3f372021f", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1d89e9ac-f887-5d1e-8ea8-1e840349ff2b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613136Z", "creation_date": "2026-03-23T11:45:29.613138Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613144Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bdcacee3695583a0ca38b9a786b9f7334bf2a9a3387e4069c8e6ca378b2791d0", "comment": "ASUS vulnerable UEFI Update Driver (aka AsUpIO64.sys and GVCIDrv64.sys) [https://codeinsecurity.wordpress.com/2016/06/12/asus-uefi-update-driver-physical-memory-readwrite/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1da640c3-dab8-593b-8091-43be9689d8bc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159652Z", "creation_date": "2026-03-23T11:45:31.159655Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159664Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "68ae2bd91421eb9fac0412e392af4b7f9ce1cc077cb069d904db243e7d8d7e66", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1daf158f-dd39-59b9-82e8-595b279f79eb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968239Z", "creation_date": "2026-03-23T11:45:29.968241Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968247Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "16768203a471a19ebb541c942f45716e9f432985abbfbe6b4b7d61a798cea354", "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1db55043-ae03-5402-86d7-146f720264cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154041Z", "creation_date": "2026-03-23T11:45:31.154043Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154049Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "da7fc3aa13917d1d9dddae0f0353fdc5423a281a6c41cb12d7aec62e9128fad6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1dc54178-c0d3-5514-9f4b-7d6d243fcb8a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620548Z", "creation_date": "2026-03-23T11:45:29.620550Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620555Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "49f75746eebe14e5db11706b3e58accc62d4034d2f1c05c681ecef5d1ad933ba", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1dcf377a-baaa-5b5b-bd83-d7b93f7a0526", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983404Z", "creation_date": "2026-03-23T11:45:29.983406Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983411Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "72b99147839bcfb062d29014ec09fe20a8f261748b5925b00171ef3cb849a4c1", "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1dd5449d-5ab1-5fd0-95ae-859a0adf3e7f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820859Z", "creation_date": "2026-03-23T11:45:30.820861Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820866Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "03680068ec41bbe725e1ed2042b63b82391f792e8e21e45dc114618641611d5d", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1dd5ca46-cc64-5208-a6f9-a446d9fb49c5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467736Z", "creation_date": "2026-03-23T11:45:30.467739Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467748Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "91e64a75caa5015cb1d874372e4fdfefa506de680a962fdd97b83206bdf1e27e", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1dd8b129-2f9f-5617-81f5-00ad709be9db", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466523Z", "creation_date": "2026-03-23T11:45:30.466526Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466535Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d50cb5f4b28c6c26f17b9d44211e515c3c0cc2c0c4bf24cd8f9ed073238053ad", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1dd9e8f4-f2bc-5813-9ccc-8d07c6179b05", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463728Z", "creation_date": "2026-03-23T11:45:30.463732Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463740Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2faf95a3405578d0e613c8d88d534aa7233da0a6217ce8475890140ab8fb33c8", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1dddbd04-2ce2-5a83-9c9a-d0ee7c989db9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833452Z", "creation_date": "2026-03-23T11:45:30.833455Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833463Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "12dd733db66f745c5401a0470343f165767a6381b6789e45ceef1ab4c6e33983", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1de14c1e-662a-58d6-b0cd-1297f6cac62a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141237Z", "creation_date": "2026-03-23T11:45:31.141239Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141245Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "438baa1b1dffc3c86b75c6506ba92a53741cd9d5fd7e6460b6e7fd151e25f51d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1de217d1-f1f8-5bdb-923b-3da5c275b1c6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818906Z", "creation_date": "2026-03-23T11:45:30.818908Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818914Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d9674a1364fde6b5e7fb1770bdebb8db7de8e15f3c976e5c5102775c95452967", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1dfb65ca-96c4-5e34-a158-5b6f7ef5710c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828703Z", "creation_date": "2026-03-23T11:45:30.828705Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828710Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a18bb92e104e9f6de178c88f72866b365d9ec5d0d3868b0539900dfa3d25ed39", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1dffe9b1-2cf3-55ee-a109-8f5a07a1d918", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982520Z", "creation_date": "2026-03-23T11:45:29.982522Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982528Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "64f9e664bc6d4b8f5f68616dd50ae819c3e60452efd5e589d6604b9356841b57", "comment": "Vulnerable Kernel Driver (aka 1.sys) [https://www.loldrivers.io/drivers/a5792a63-ba77-44ac-bd4a-134b24b01033/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1e02357b-1664-56cb-b1b9-effe08dcd95a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820086Z", "creation_date": "2026-03-23T11:45:30.820089Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820096Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8b6251a1883c5ed03ecdead8322e7d8105d075fef160abfe763d5873484b2a27", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1e096492-1e83-521b-a177-21d1afc6687c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972595Z", "creation_date": "2026-03-23T11:45:29.972596Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972602Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d0e25b879d830e4f867b09d6540a664b6f88bad353cd14494c33b31a8091f605", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1e0b8d47-61f1-50c3-89ab-dff32d62b19b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143798Z", "creation_date": "2026-03-23T11:45:32.143800Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143805Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7326aefff9ea3a32286b423a62baebe33b73251348666c1ee569afe62dd60e11", "comment": "Vulnerable Kernel Driver (aka ACE-BASE.sys) [https://www.loldrivers.io/drivers/ff77b58d-e143-4f61-92de-c0d9bc0af7d5/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1e2dfd73-268e-53d1-bfdd-5a4de544a39e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822465Z", "creation_date": "2026-03-23T11:45:31.822468Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822477Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3bbfdefb8c8a7d0e7b0480ec06ad01b65ef056aea7e4fa2f0e8771e419a06b56", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1e32aa28-50b7-50c4-9272-022994920873", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608492Z", "creation_date": "2026-03-23T11:45:29.608494Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608499Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7539157df91923d4575f7f57c8eb8b0fd87f064c919c1db85e73eebb2910b60c", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1e352c2f-4a29-5b28-91d7-635b79f954a0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453813Z", "creation_date": "2026-03-23T11:45:30.453817Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453825Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "516e39dcf7480de4bb86727321c099605a34a54f1d5b3a4aa6dc4bcf260274c9", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1e448bed-2862-5091-b10f-6fa28a072e9c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818161Z", "creation_date": "2026-03-23T11:45:31.818164Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818172Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aa3ebaa9faedddbeae1a80cc1953e79d1f6fae716e5f374f5bdf08015491a56e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1e44b3a9-1542-5155-bc68-7b7f5b75118c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974143Z", "creation_date": "2026-03-23T11:45:29.974145Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974151Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee3ff12943ced401e2b6df9e66e8a0be8e449fa9326cab241f471b2d8ffefdd7", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1e488398-47e6-5fff-b179-c128384c7dc0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827103Z", "creation_date": "2026-03-23T11:45:31.827105Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827111Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "624209252a70280a29d50cea1bed6f118a73b6558480659efb0bbad5c833ac8b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1e5827c0-508a-5997-85c0-f31ad87a265f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618841Z", "creation_date": "2026-03-23T11:45:29.618843Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618849Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "48567fa742841208d4f93f54031218703241baec6f59b1e4ab8a71c26de1cf85", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1e6ce154-d886-51ed-acde-19aa0a7f6453", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144322Z", "creation_date": "2026-03-23T11:45:31.144324Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144330Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ba164f28ac3703908f8b0e61f11a79eb5100bddbea25c4c89b1072b645434734", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1e6df447-77bd-511e-b40f-1df267127b3b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452187Z", "creation_date": "2026-03-23T11:45:30.452190Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452199Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b617a072c578cea38c460e2851f3d122ba1b7cfa1f5ee3e9f5927663ac37af61", "comment": "Vulnerable Kernel Driver (aka mhyprot3.sys) [https://www.loldrivers.io/drivers/2aa003cd-5f36-46a6-ae3d-f5afc2c8baa3/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1e8a1f4b-3cd2-5790-bfcd-56eeed9ca8c2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817523Z", "creation_date": "2026-03-23T11:45:30.817525Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817531Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b84dc9b885193ced6a1b6842a365a4f18d1683951bb11a5c780ab737ffa06684", "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1e8e0530-5ce1-5e53-9fa0-28da7970fd31", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145765Z", "creation_date": "2026-03-23T11:45:31.145767Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145772Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2279f01c81a67657cc33fde99b28d968c34228e6422a90b3ba9ed91b9f66ec9b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1e91be74-901b-578e-80b0-ebc824923841", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975237Z", "creation_date": "2026-03-23T11:45:29.975239Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975244Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f05359fe5793e947711c72cc8413e3b1d96c8a54eaafe4803827c4414f2f8e85", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1e9861ad-bac2-53fc-ae1c-038cebb2487f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810503Z", "creation_date": "2026-03-23T11:45:31.810505Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810511Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a3a27a487d55d95821df5a311b44942cb18cfb7b917530d73b08f41e25cf218c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1e9f3bf4-6626-55a2-9d5d-bb40c4bdeaa3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.147150Z", "creation_date": "2026-03-23T11:45:32.147152Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.147158Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "78ccae1341d6546c9d238e824a2261a961bd9a843f6d951d649fbc09ad0e01a0", "comment": "Vulnerable Kernel Driver (aka BdApiUtil64.sys) [https://blog.talosintelligence.com/byovd-loader-deadlock-ransomware/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1eab2acf-25ab-5817-81e0-b0a2dc584930", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615554Z", "creation_date": "2026-03-23T11:45:29.615557Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615562Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5eb233ed9df3c1def326e2c63ee304dc85af303f8c9f038c993aa6e34f91ffaf", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1eadbae6-1e01-5f4f-b9d7-fcdfbbb84d8c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160012Z", "creation_date": "2026-03-23T11:45:31.160014Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160020Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e2f12442e3b9d2ba640de7f353f6567d960a9fb5a17cc3c9be886541aefc94ef", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1eaeed44-9666-5c7d-81d2-dfe85b641634", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617254Z", "creation_date": "2026-03-23T11:45:29.617256Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617262Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7188af66fe23bd8cf27f003ad6c7550cdb6faa5c948fe7c3b1435c9246345eb3", "comment": "Noriyuki MIYAZAKI's WinRing0 dangerous driver (aka WinRing0x64.sys) [CVE-2020-14979] [https://www.loldrivers.io/drivers/f0fd5bc6-9ebd-4eb0-93ce-9256a5b9abf9/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1eb38bbc-69c3-522a-b5e8-9df7c0dce3de", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480295Z", "creation_date": "2026-03-23T11:45:30.480298Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480306Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8a228c751d1664b362f10dc7083c223995b976b264da8b7380c51157bed66fbe", "comment": "Vulnerable Kernel Driver (aka GEDevDrvSYS.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1eca7b23-9882-5ff0-8682-ec354a9c847c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455024Z", "creation_date": "2026-03-23T11:45:30.455027Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455036Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "16e68d2fa75a4e04872be42e2b54c041e43ab3409096741690520417e3368aa6", "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1ecd3c0e-37e8-57c6-8871-dfe65076f60b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621037Z", "creation_date": "2026-03-23T11:45:29.621039Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621044Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "04a85e359525d662338cae86c1e59b1d7aa9bd12b920e8067503723dc1e03162", "comment": "Fujitsu Vulnerable Physmem drivers (aka ADV64DRV.sys) [https://www.loldrivers.io/drivers/24fb7bab-b8c3-46ea-a370-c84d2f0ff614/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1ecfe291-ad0b-5c2e-b4be-0d17c8790897", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978265Z", "creation_date": "2026-03-23T11:45:29.978267Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978273Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "25d16b2b53fc7b52a65616ab7fc04a503946c20fe96556681bfaddd589401f4a", "comment": "Malicious Kernel Driver (aka wantd_2.sys) [https://www.loldrivers.io/drivers/aa687f89-4f3b-4b59-b64e-fee5e2ae2310/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1ed2c5cc-a617-59dc-b243-81501b587c74", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835115Z", "creation_date": "2026-03-23T11:45:30.835118Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835128Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "818c8775305dd8ba8e7f0d1288e2e55263cbc6a43537afcfa396c0bf78bc85c0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1ed4b142-a4df-5648-891b-e9a6e5c64201", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622742Z", "creation_date": "2026-03-23T11:45:29.622744Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622749Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ad44cfd9c6262a6ff36ee9d03e59ba4b0524ef87f6b980ce15abb10a35d39f88", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1eddd2cd-75b0-58f6-bfac-dbfc0ef0c3cc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488517Z", "creation_date": "2026-03-23T11:45:31.488519Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488525Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e080f8de089ab20471c9997c9eae8137e961929baa8393aa10adbf3fefbd69d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1edec569-c21c-5d5d-8051-5022133d0284", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153754Z", "creation_date": "2026-03-23T11:45:31.153756Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153762Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a350230410e13cd62cc24a04d5a878ad99e7af0e9698a3f8a8c0eb291341cd24", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1ee17096-ce07-557c-bed2-c993e277561c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817268Z", "creation_date": "2026-03-23T11:45:31.817270Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817276Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "56e4738d3e3d0df82ac63ee95648db53e462d6916c55a2d49208703c3ded46a6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1ee3b266-a016-598d-8420-90c953a3227d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827694Z", "creation_date": "2026-03-23T11:45:31.827696Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827702Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e8c22851b9c42ca5429e4f7d5afcf3757a16c4bae072eba3f2888b9c20ed15ea", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1ef0ffec-0ce7-59a5-9436-cc86d31e0d4d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975272Z", "creation_date": "2026-03-23T11:45:29.975274Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975280Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bb82d8c29127955d58dff58978605a9daa718425c74c4bce5ae3e53712909148", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1f01b7be-3ceb-5c2f-9b00-f6696ec38a2d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984264Z", "creation_date": "2026-03-23T11:45:29.984267Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984275Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd573f23d656818036fc9ae1064eda31aca86acb9bc44a6e127db3ea112a9094", "comment": "Vulnerable Kernel Driver (aka irec.sys) [https://www.loldrivers.io/drivers/d74fdf19-b4b0-4ec2-9c29-4213b064138b/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1f0b737a-add9-5f72-b4ba-ff015081f5f6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969664Z", "creation_date": "2026-03-23T11:45:29.969666Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969672Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b84b27e0fd011545f447c8c630beeadc2581b7b43fba3b53575f6e2fb92d197b", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1f147bec-6bfa-5cfe-9c67-031eef9861ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483308Z", "creation_date": "2026-03-23T11:45:31.483312Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483322Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ed31d19a9ee7cb12f99c5b706e265bb6b10eec85c5b89126a23f2f856a28fe79", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1f2188da-a9b2-5723-b9cb-b01c180f045f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608613Z", "creation_date": "2026-03-23T11:45:29.608615Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608621Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "147ea2957c15a5c92c6b7f8f2811e29e9f2c4df1efdbd69b79eeab40652861ef", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1f328423-3149-5010-b783-994b9e38cd6d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972003Z", "creation_date": "2026-03-23T11:45:29.972005Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972010Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "57a389da784269bb2cc0a258500f6dfbf4f6269276e1192619ce439ec77f4572", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1f352714-0552-5037-a478-bfee437d06e8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822228Z", "creation_date": "2026-03-23T11:45:30.822230Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822235Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "df813922fcebbcaae99314cc207ec95111a6599ec7fb2d723f6bb1052c493c8a", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1f6379eb-d8a8-5c08-aa62-a15422c01fba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621427Z", "creation_date": "2026-03-23T11:45:29.621428Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621434Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2d195cd4400754cc6f6c3f8ab1fe31627932c3c1bf8d5d0507c292232d1a2396", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1f7952d7-ff01-5897-a9a4-54c891177916", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479111Z", "creation_date": "2026-03-23T11:45:31.479115Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479124Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5001b9e561ca074ea92eeee37e1cbd08b11caacece4af05050875aee4872d3e4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1f7eb42e-e99a-5983-8a2e-d6a1c83842a6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832660Z", "creation_date": "2026-03-23T11:45:30.832662Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832667Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8efda1292eff521b42d38ffc75e5ecfa4fa255658fb768adf53d111ed25da6cf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1f880eba-d0bc-58c4-b529-bc568278c505", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607561Z", "creation_date": "2026-03-23T11:45:29.607563Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607568Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3ff50c67d51553c08dcb7c98342f68a0f54ad6658c5346c428bdcd1f185569f6", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1f88d06c-031a-5c6f-8209-7a7db9b9f4af", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820954Z", "creation_date": "2026-03-23T11:45:30.820957Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820965Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c186967cc4f2a0cb853c9796d3ea416d233e48e735f02b1bb013967964e89778", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1f8fd750-2d83-5c91-8134-22c87e089c3e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616721Z", "creation_date": "2026-03-23T11:45:29.616723Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616729Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "038f39558035292f1d794b7cf49f8e751e8633daec31454fe85cccbea83ba3fb", "comment": "Vulnerable Kernel Driver (aka amifldrv64.sys) [https://www.loldrivers.io/drivers/a5eb98bf-2133-46e8-848f-a299ea0ddefa/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1f93204f-1339-552a-a546-0502a90d332d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490066Z", "creation_date": "2026-03-23T11:45:31.490068Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490074Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a61c0d6e44ae7634598b91c71d8c84982c378ae341af6f7d485b808948e09630", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1f957a54-c58f-5020-aa12-12549afd8993", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605156Z", "creation_date": "2026-03-23T11:45:29.605158Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605163Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "57982057bae3808abd3417d0827fcf596f979f824cff149b2f8cdcf25b86396f", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1f973f29-96dd-5120-b476-4b463d4a3bc7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465596Z", "creation_date": "2026-03-23T11:45:30.465599Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465608Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "15cf366f7b3ee526db7ce2b5253ffebcbfaa4f33a82b459237c049f854a97c0c", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1fb1f7af-1f12-51ac-8efc-b22403b685d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611549Z", "creation_date": "2026-03-23T11:45:29.611551Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611556Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "057e45b47fe0ca96fe3741058bc4365c9a866dff925cab8cfea4c161b990e8e2", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1fbb35de-b1d9-5710-b636-a2555fc7aab4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473095Z", "creation_date": "2026-03-23T11:45:30.473099Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473109Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c673f2eed5d0eed307a67119d20a91c8818a53a3cb616e2984876b07e5c62547", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1fc38b99-e554-5127-9ac1-60f8a9abaa7f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977799Z", "creation_date": "2026-03-23T11:45:29.977801Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977807Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8111085022bda87e5f6aa4c195e743cc6dd6a3a6d41add475d267dc6b105a69f", "comment": "Vulnerable Kernel Driver (aka NetProxyDriver.sys) [https://www.loldrivers.io/drivers/c1ece07b-e92a-4050-95ee-90e03aa82120/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1fc49f6c-4ee6-5663-8fbb-d14f3a4229b3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826420Z", "creation_date": "2026-03-23T11:45:31.826422Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826427Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8ec94129adcf736bbc7d4a8d9689bba64b9bba8849f420f17ab9292fa671294e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1fd251fa-be87-57c4-b465-43222e0c452b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605788Z", "creation_date": "2026-03-23T11:45:29.605790Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605795Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "41cceace9751dce2b6ecaedc9a2d374fbb6458cf93b00a1dcd634ad0bc54ef89", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1fd3834b-1203-5941-9dfb-928b7d258115", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455389Z", "creation_date": "2026-03-23T11:45:30.455392Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455401Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c2557b448d71c6873bf71f5ab41cc618d12d5c91717bf8738b6b5dce187326c2", "comment": "Vulnerable Kernel Driver (aka VBoxUSB.Sys) [https://www.loldrivers.io/drivers/70fa8606-c147-4c40-8b7a-980290075327/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1fd3fe23-73f3-5c78-94f6-d25c5bdec271", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141078Z", "creation_date": "2026-03-23T11:45:31.141080Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141085Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "98c2f4a08e0d4b3f25c49ab8efa7e2875dcf084ad6592d4930e19276cf9cab48", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1fd9fa73-7aff-5f30-bedb-59c7629e175d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487023Z", "creation_date": "2026-03-23T11:45:31.487027Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487035Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "20b164228a019d203a24c761715c3b13e38b16ac01c668727cb716759162950b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1fed9dd1-8f0e-5297-b6ec-70932b5996fb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830997Z", "creation_date": "2026-03-23T11:45:30.831001Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831007Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1fc6af1d7f8607539ca11cf35b0be782bf1a758f32960444045da53079a2cdce", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1fee6ff8-f9dd-5f6d-bfdd-bc3669e2c8c9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831308Z", "creation_date": "2026-03-23T11:45:30.831310Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831323Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "259f27e01cd7cbd9e62beb9387d78f1dba7d3f80da50d9156574a89ae9f6d1e8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1ff5c28a-683d-59ab-b69a-7b20b45d154d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817884Z", "creation_date": "2026-03-23T11:45:31.817888Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817898Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ac44f0d31b51f6e41d6519772d65a2e82c11f2397f999aac78b1eb16ec369bdc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "1ffcf12b-4af7-5153-ad94-e3bd5909452d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470221Z", "creation_date": "2026-03-23T11:45:30.470224Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470234Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7fe1958f35b91da7819002c38642bb9408db3167bd311c637aaae6f9d45af3e4", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "20075074-cd43-53c9-a00d-4f63474fc810", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983068Z", "creation_date": "2026-03-23T11:45:29.983070Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983076Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bf118e97d662139c1152d25a69cfa02659381aeeeea9d2222ac96fe740752c09", "comment": "Vulnerable Kernel Driver (aka nstrwsk.sys) [https://www.loldrivers.io/drivers/e9b099f6-8a12-46f0-a540-40e88cf0ce17/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2009bbe1-e357-570b-be99-cae8ce3b61b0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453461Z", "creation_date": "2026-03-23T11:45:30.453464Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453473Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bae01ea7b49bd090e198448c41293830a6e2c68821d65f69ec7dc98a16baef21", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "20103ec1-1f06-5d36-b33a-4031b58b9b3a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.471776Z", "creation_date": "2026-03-23T11:45:31.471779Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.471788Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a68b800d2ff84f593e6c74bfa38efa7add3d8ef5143f72fdfe5edd3ebbe6757c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "20117979-2abb-5a33-b354-a5773b3e5161", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453665Z", "creation_date": "2026-03-23T11:45:30.453669Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453678Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8fca5b647af3f792898efc1bdc008745643b417282cdee13d4edf93a4a8308a0", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "20175d13-d747-553a-aba6-ab62c55ed8bd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817286Z", "creation_date": "2026-03-23T11:45:31.817288Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817293Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a71e7ecde0a642339d61eebea2adecb3ccdcab0249b739831556e6e95661c7ce", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "201aa671-0ada-52a8-a1ef-ebebfac173ac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497671Z", "creation_date": "2026-03-23T11:45:31.497673Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497679Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8b36758b96ce1afd3328aec3f4e5808cc2b47d80894032ffa7de14c4767f1f39", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "201b1d5b-01b2-51e9-9798-12be5c18f4bd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475571Z", "creation_date": "2026-03-23T11:45:31.475574Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475583Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "acca6bbdabb64fdba72f37038a2d342859e56f55f493bbce5097ccd7093d9312", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "201daf13-5e98-58ba-875f-4a59394ebb27", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822854Z", "creation_date": "2026-03-23T11:45:30.822856Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822861Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e24c45ce2672ee403db34077c88e8b7d7797d113c6fd161906dce3784da627d", "comment": "Vulnerable Kernel Driver (aka SBIOSIO64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2033770c-1838-5069-a2bf-159d9044391d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817382Z", "creation_date": "2026-03-23T11:45:30.817384Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817389Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ffd548833a96c2c5f8410b22fc110d10b36a47eb0b16b3d2e7edb82c3cabf97b", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "20364d36-bfec-587d-ba39-2952d2eda0e5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985430Z", "creation_date": "2026-03-23T11:45:29.985432Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985438Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "04cfb452e1ac73fb2f3b8a80d9f27e19a344a6bf0f74c7f9cae3ae82d3770195", "comment": "Dangerous Physmem Kernel Driver (aka Se64a.Sys) [https://www.loldrivers.io/drivers/d819bee2-3bff-481f-a301-acc3d1f5fe58/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "204bc6a4-1e59-5593-8126-1f496a4edc33", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826514Z", "creation_date": "2026-03-23T11:45:30.826516Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826522Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "95542b32e0881e08e87fd38310f598cacfb37f7fc57b8d7d919a6707b175dbd2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "204bec7c-e9d7-571d-aeaa-be990f5d6941", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159868Z", "creation_date": "2026-03-23T11:45:31.159884Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159889Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "64c27a36524d1967e9ba2515976823e4471583225676b61ee8b3c87cfa4138e5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "20521ede-ccba-5518-8d92-76a7e12e8a09", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156980Z", "creation_date": "2026-03-23T11:45:31.156982Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156987Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6fc0c630eb1778687bc1eb56a4b735b1ad39f21b607e5e15544191b8ef8b5fa4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "205c3118-5668-5a16-a634-3d557bb910e9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970677Z", "creation_date": "2026-03-23T11:45:29.970680Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970687Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "da5135871e9e0004bb60d0be31f8d96988f9b82025abccadfd87c937df22686b", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2064be61-c105-5f1b-a7be-76852e4c4653", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616095Z", "creation_date": "2026-03-23T11:45:29.616097Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616103Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8797d9afc7a6bb0933f100a8acbb5d0666ec691779d522ac66c66817155b1c0d", "comment": "Phoenix Tech. vulnerable BIOS update tool (aka PhlashNT.sys and WinFlash64.sys) [https://www.loldrivers.io/drivers/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2070dbe7-d41a-5595-80c3-2e31c5675829", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481785Z", "creation_date": "2026-03-23T11:45:30.481787Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481793Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "df96d844b967d404e58a12fc57487abc24cd3bd1f8417acfe1ce1ee4a0b0b858", "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "207e873f-2466-5b0c-ab29-636013f5cc7f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145187Z", "creation_date": "2026-03-23T11:45:32.145189Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145195Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "981d03e19f14de0ccffef8fa974797d9cdfef6dafc7349d9bbf27434dc16dede", "comment": "Malicious Kernel Driver (aka driver_981d03e1.sys) [https://www.loldrivers.io/drivers/1106fe7a-b78b-4edf-85c0-6208979f380b/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "208270f5-4aef-5e1b-ad33-ff9421905b42", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830598Z", "creation_date": "2026-03-23T11:45:30.830600Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830605Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f9d76e1257b1cfdb8028809f1cf5da0bcbb33d07deedc7e95c5953dd3f195e1a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2083c1bb-1f44-55f1-9dc0-665e87b26e90", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810681Z", "creation_date": "2026-03-23T11:45:31.810683Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810688Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "54467b895627b5b6abb457ba20fe497244d152cae3881a35ea30231f09dde0a9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2097b4cf-7433-575b-8d0f-abbc04f187b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143024Z", "creation_date": "2026-03-23T11:45:32.143026Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143032Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ede9a3858a12d5ddea21a310e5721bf86c2248539f42c9e0c3c29ae5b0148ba5", "comment": "Vulnerable Kernel Driver (aka msr.sys) [https://www.loldrivers.io/drivers/ee6fa2de-d388-416c-862d-24385c152fad/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "209f285a-1d37-5d25-af91-0eb03e16efd2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474445Z", "creation_date": "2026-03-23T11:45:30.474448Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474457Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2145851bdcbf8419f09fd7470422dd56be1b415b15f39f0632bdd797cf500b36", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "20a147ce-5f18-5f72-9002-144eecb11455", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151887Z", "creation_date": "2026-03-23T11:45:31.151891Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151900Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4f8b32786de3bf22e92144ed115b6800e03568944fe95699b9002db04e13a20a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "20a20d07-6896-5ce7-8679-08757e3f90ea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971390Z", "creation_date": "2026-03-23T11:45:29.971394Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971403Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8fe9828bea83adc8b1429394db7a556a17f79846ad0bfb7f242084a5c96edf2a", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "20a23836-f4df-5dda-88dd-5fb75db9bbdb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485038Z", "creation_date": "2026-03-23T11:45:31.485042Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485051Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "73fcab1ad989ed08cf3c054a29b474fe5a39b1fb145ca34decd553433bff8210", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "20b6dda7-f766-5a2f-b985-444b9ea6f6ae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494023Z", "creation_date": "2026-03-23T11:45:31.494026Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494036Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aee1f887d981f49b4b6e0d60c195b6a96da3f1ff005ad78c11c4ab35ae9f983f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "20b8dffb-7297-5156-91a6-849a46ea10d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615186Z", "creation_date": "2026-03-23T11:45:29.615188Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615193Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b08a501124d13262c86889617071743521aeefc2d77f678d541aa8dbad52992", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "20be698d-bd18-5449-a0c4-73da695ab941", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979675Z", "creation_date": "2026-03-23T11:45:29.979677Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979682Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a0801ade5de44b65afb8c275e11e4d766ae64af1a5740ad4f1db1acc4e088774", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "20c54db1-d889-57e5-9206-e0f68a9851f5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489403Z", "creation_date": "2026-03-23T11:45:31.489406Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489413Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0c9e1cdedf76956540458a3dbf153c833e54201deea1ab22c08ad6725ed9f19a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "20d24f85-d917-5141-8d3e-e34155d9ef51", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830132Z", "creation_date": "2026-03-23T11:45:30.830134Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830139Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "89021b58a0f068b2d54c7136583224a43a33e2547b5a1aa40a871d9f9731ef73", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "20d378f6-b625-51fc-924c-a9eae74ae3bb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146367Z", "creation_date": "2026-03-23T11:45:31.146369Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146374Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "60cfdb1641547fa688a114639b6bff13742fc8bb61b85c30d2bf9952c0e3359f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "20d5f906-da44-5d2f-9b2c-12d47ab3c975", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817035Z", "creation_date": "2026-03-23T11:45:30.817037Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817042Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5a0b10a9e662a0b0eeb951ffd2a82cc71d30939a78daebd26b3f58bb24351ac9", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "20e06026-add4-5071-b373-9b0a5cbcac7a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831918Z", "creation_date": "2026-03-23T11:45:30.831920Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831926Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a6c32bb6d976f5f7125d01f30f6e76d0fb6e4c5a33d1bba1d79e30f7dec52274", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "20e5e827-9eb5-5bb0-a3af-cbdb55d8620a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453283Z", "creation_date": "2026-03-23T11:45:30.453286Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453296Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a15325e9e6b8e4192291deb56c20c558dde3f96eb682c6e90952844edb984a00", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "20f4b53d-3503-52ad-a6ca-74263f59004c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148809Z", "creation_date": "2026-03-23T11:45:31.148812Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148820Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6f909d9bf3f0974d6ecda2956d7c2c3c39e693c01550bebed05ee1cf02091eff", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2103dd29-832b-557e-a9d0-b8fc4341aa85", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622437Z", "creation_date": "2026-03-23T11:45:29.622441Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622447Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3f9530c94b689f39cc83377d76979d443275012e022782a600dcb5cad4cca6aa", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "210706cb-6d84-563b-b5c5-14fe6c91aa97", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819777Z", "creation_date": "2026-03-23T11:45:30.819779Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819785Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "77da3e8c5d70978b287d433ae1e1236c895b530a8e1475a9a190cdcc06711d2f", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "21103903-e415-5430-ae82-59bbd377f7b8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611062Z", "creation_date": "2026-03-23T11:45:29.611064Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611069Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "36729c2c714e05ebf9bc7262bc7f0d5d25d9dc9c8e0c4fdce27143bbdd9d9aa7", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2113e119-a16e-5f6b-b4a7-f50c34a99ed5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816491Z", "creation_date": "2026-03-23T11:45:30.816493Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816498Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "783a127c470a136b07a41bdaf2d78a8e4e73c3fca1a124d33d5f8653ef887d30", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2118f218-c663-5734-a2fd-3d26fc521c1e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820460Z", "creation_date": "2026-03-23T11:45:30.820462Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820468Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ebe114a72d27b5abf47e17137dbb85f52ca987c8bb80ea709eb3293c9637f73c", "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "212343ec-985b-5528-b2dc-d836b03015fc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605594Z", "creation_date": "2026-03-23T11:45:29.605596Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605601Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c18b6993154fa0e24d15726c50e8325d32381020786ce22eb1b71184d95af481", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "21290020-1544-54d2-a09d-016502eae338", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453133Z", "creation_date": "2026-03-23T11:45:30.453136Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453145Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c2f1e2b0cc4da128feb73a6b9dd040df8495fefe861d69c9f44778c6ddb9b9b", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "21348137-f6d8-5ef9-8ac9-0021786a1c32", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620900Z", "creation_date": "2026-03-23T11:45:29.620902Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620907Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "05f052c64d192cf69a462a5ec16dda0d43ca5d0245900c9fcb9201685a2e7748", "comment": "Phoenix Technologies Vulnerable Physmem drivers (aka Agent64.sys) [https://www.loldrivers.io/drivers/5943b267-64f3-40d4-8669-354f23dec122/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2134d7da-132a-56af-a8b2-2a040f4ac486", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824115Z", "creation_date": "2026-03-23T11:45:30.824117Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824126Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "394a05770de545620828504403f8a746e5cc1f26d4363317c0497e4b0310b5e8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2148fea8-7aa1-5201-9617-28343f8c4743", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608086Z", "creation_date": "2026-03-23T11:45:29.608088Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608093Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "918d2e68a724b58d37443aea159e70bf8b1b5ebb089c395cad1d62745ecdaa19", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "214e02e9-7fc2-5448-9b0b-c55263ae7f74", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489726Z", "creation_date": "2026-03-23T11:45:31.489729Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489737Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b355ff97defd226c9b79f92283c940f9d00bfda1b629dc70c761bf044b7ac8c0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2159d869-033a-50c0-9bb7-df80e62a39a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820911Z", "creation_date": "2026-03-23T11:45:30.820913Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820919Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d6801e845d380c809d0da8c7a5d3cd2faa382875ae72f5f7af667a34df25fbf7", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2166c90d-2cda-581a-9642-dad07271ef8f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468527Z", "creation_date": "2026-03-23T11:45:30.468530Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468539Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "047e4158225af627382c412fa1f870479a238841341bc13e60312269feb14083", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "216d41f7-eac1-55bd-b87c-b9f5f6d6bf88", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970564Z", "creation_date": "2026-03-23T11:45:29.970566Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970571Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "557d6eb7550b038a3d92832b6218d5e6be72f490958f4ffa87ccd821f8866c3c", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "217915dd-6f83-5c72-9f46-81b8c72200ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472810Z", "creation_date": "2026-03-23T11:45:31.472814Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472821Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "197144bb4d00a04d2860594096b3db45e86581bca9beb131fca69227a2761ccb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "217adcd7-950f-5155-be70-a796ef3fc846", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810011Z", "creation_date": "2026-03-23T11:45:31.810013Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810018Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e5cb8102fdd41687f386e57c7728a07810e620e9117d7394d79d5ad753261ffc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "21877d01-7486-5db8-ad6c-3f5df81a9099", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458722Z", "creation_date": "2026-03-23T11:45:30.458725Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458734Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "058c4fbd3a12f0d7ddfc771067f03dea88cc33dd4b61139edcb0b2d17905f084", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "218924ad-8816-5364-b3e5-7a9ba6cde337", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160153Z", "creation_date": "2026-03-23T11:45:31.160155Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160161Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "62acd95fb57656258a9621b72b5a6697f90e18c9941fc840f993d304522c3f42", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "218decdb-7c20-5bc7-9ac4-d8980e603efc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619524Z", "creation_date": "2026-03-23T11:45:29.619526Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619531Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "38e7a51de1701057088aac05a8d98a7bb447f8204d193a9f77f449c97b00c850", "comment": "Insyde Software dangerous update tool (aka segwindrvx64.sys) [https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Program%3AWin32%2FVulnInsydeDriver.A&threatid=258247] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "218e03dd-6e9d-556a-8d4e-8ff14e7180bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146970Z", "creation_date": "2026-03-23T11:45:31.146973Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146978Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fcde2218562066972e7794ca362dfef3ad98a8eb03750e0610cd47c2bed6b74c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "218f2ef1-f0a0-5120-93f2-cc088926a6d8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971542Z", "creation_date": "2026-03-23T11:45:29.971544Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971549Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1997b7217dfddd8fbd4924e86b58fe585ef4bd91c3069d3deeb34ea70eb82d60", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2192c2b4-4066-5489-9fdb-518c23fa6525", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620763Z", "creation_date": "2026-03-23T11:45:29.620764Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620770Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b1334a71cc73b3d0c54f62d8011bec330dfc355a239bf94a121f6e4c86a30a2e", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "219b1808-2fe3-5b76-ac3c-568719d4c284", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458848Z", "creation_date": "2026-03-23T11:45:30.458851Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458860Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aa1c07fc6289ddc2182b11e555073e66b7acbfc17c38efb44ecaa19a6aaf722f", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "219d4acc-ee4c-5d64-96f3-d43ac21a4a61", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477549Z", "creation_date": "2026-03-23T11:45:30.477552Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477561Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b11e109f6b3dbc8aa82cd7da0b7ba93d07d9809ee2a4b21ec014f6a676a53027", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "21a5a513-4811-5537-93a8-b2b9322aa250", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458079Z", "creation_date": "2026-03-23T11:45:30.458083Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458092Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f62911334068c9edd44b9c3e8dee8155a0097aa331dd4566a61afa3549f35f65", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "21be4aed-a057-512d-b267-3bfa722e07ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828618Z", "creation_date": "2026-03-23T11:45:31.828620Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828626Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "285d8e3f07009af95cdeab7bfc91cdbfbae48663582745a5881cfd7d63168ff1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "21bfdfd2-d7c0-5b7c-8e5e-efd6a6b8c3d1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478542Z", "creation_date": "2026-03-23T11:45:30.478545Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478554Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a2d9f91ede8aed51960ca67318ea337152bb311c03275c0650e4421e6af6b7ee", "comment": "Vulnerable Kernel Driver (aka vboxdrv.sys) [https://www.loldrivers.io/drivers/2da3a276-9e38-4ee6-903d-d15f7c355e7c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "21c56f4d-ad5e-51ab-80b2-807c0fe08a0e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817905Z", "creation_date": "2026-03-23T11:45:30.817909Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817917Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e2b6350e17e9b24b7140eed743b4ae0b01453bbb8cb73b091b51e2306017d80f", "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "21ecad1e-431f-56b5-a336-b69db5a220e7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810646Z", "creation_date": "2026-03-23T11:45:31.810648Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810653Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8d86545c85fa90faa95f5d67723686174f82107dd423feba54907ce0e4297f87", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "22054282-f6c4-58d4-bd1f-5515b4a07cf0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481115Z", "creation_date": "2026-03-23T11:45:30.481117Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481123Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e3a74ac9d23efaa857333a4d8a40ed0026f28575475deeb6eb301fcc0db34efc", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2215df9f-951b-5cb3-8d9f-e394810e80c8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145956Z", "creation_date": "2026-03-23T11:45:31.145959Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145967Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ebce1e4dc3b7128e7bfb61ce564b00e2643d3824d3bdf59ffdb3dcdc179aa03c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "22199dd4-c945-5622-9ca4-7639c7c97a78", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968892Z", "creation_date": "2026-03-23T11:45:29.968894Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968899Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19d0fc91b70d7a719f7a28b4ad929f114bf1de94a4c7cba5ad821285a4485da0", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2235af9e-6f98-5d24-aa4f-b79e89f8cc0d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983832Z", "creation_date": "2026-03-23T11:45:29.983834Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983840Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47489362609fa9bd398deec955d5600780bb3788eb29a282bcc5245905713eb0", "comment": "Vulnerable Kernel Driver (aka GLCKIO2.sys) [https://www.loldrivers.io/drivers/52ded752-2708-499e-8f37-98e4a9adc23c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "22411822-4752-52f3-8877-0fd21ba88070", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613242Z", "creation_date": "2026-03-23T11:45:29.613244Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613249Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ece0a900ea089e730741499614c0917432246ceb5e11599ee3a1bb679e24fd2c", "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "224b83bb-9e02-55c4-8346-343791bd86c5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969984Z", "creation_date": "2026-03-23T11:45:29.969986Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969992Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47f64d6753f40388382097351a26dad54b8fdf59529a24acc65e9ced440ee2c6", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "224bc865-63ed-5e39-a42a-fb58711c33da", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475507Z", "creation_date": "2026-03-23T11:45:31.475511Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475521Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9ab7f3cae3cda68c14847807f120099d150062ba0d3af26e500dce2b099c5ae3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "224ff849-5ac7-59e8-9a76-6e6b46bc4e3f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152631Z", "creation_date": "2026-03-23T11:45:31.152633Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152639Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4b4ff34191eff716061cc36b039bb79db011c7f4a86cb0f1a0e9a5f6bd1b8913", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "225537ae-c682-5d94-9322-54b96efef55e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836047Z", "creation_date": "2026-03-23T11:45:30.836049Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836054Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "54b5c0860d299f087df2aef68ba94dedafda743d320cdb34983a74b7abc6b51e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "22573e41-4e25-55ae-b043-c90575b87d14", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160988Z", "creation_date": "2026-03-23T11:45:31.160990Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160996Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4d46ac2d32333f11249ab2cb55903a1736d2fe5ed4206b49fb4d6ed151bd5f5d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "225adcae-7df7-5eb6-a770-a8fdc8300a1b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487825Z", "creation_date": "2026-03-23T11:45:31.487827Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487833Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a72552491b4974eefcd717068c211312b14ad187161853bdaff458f734fa9e33", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "225f0cc6-67f0-5fd6-ae9e-7ce48f384bfe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607036Z", "creation_date": "2026-03-23T11:45:29.607038Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607043Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e2e351efd57c89bc0c7b9d4d440113304d0b8a4c88cdf0126442171aa50634d4", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2265c449-bd48-50f8-a481-44f42e5720a6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814839Z", "creation_date": "2026-03-23T11:45:31.814843Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814852Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4d01473998e75d5f07507fad0eef36a95847b2f181fa951545f9f894f39eebdb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2265d2c9-8233-5a1f-8958-db62bd70f760", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471498Z", "creation_date": "2026-03-23T11:45:30.471502Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471511Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "707b4b5f5c4585156d8a4d8c39cf26729f5ad05d7f77b17f48e670e808e3e6a0", "comment": "Vulnerable Kernel Driver (aka AsIO.sys) [https://www.loldrivers.io/drivers/bd7e78db-6fd0-4694-ac38-dbf5480b60b9/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "226b4eda-bb45-5dc4-b886-1cadd2cf34d9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500602Z", "creation_date": "2026-03-23T11:45:31.500605Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500613Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4e79d273fc5bf32ba7bd526428b19322805eaebfbf7ecfde8fa51511085cc9be", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "22762581-1ab3-5674-a9a6-2fc29c1a6ff7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.623045Z", "creation_date": "2026-03-23T11:45:29.623047Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.623052Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9996b31234ba736fc2c6f2b75f641e25d156f19d6ac84cf85283fde08a714842", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "22767396-370b-5c7d-9ef8-8cc6e8a3c900", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463670Z", "creation_date": "2026-03-23T11:45:30.463674Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463682Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "07beac65e28ee124f1da354293a3d6ad7250ed1ce29b8342acfd22252548a5af", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "227d63ea-036c-5b18-8aa9-905e79b2157e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622071Z", "creation_date": "2026-03-23T11:45:29.622073Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622078Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19c74ea0e0baf04820e5642bd2fa224158801ed966be1041539e3c55bd65c471", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2290678e-0c9f-5db1-ab39-7e4bb04f5bff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974195Z", "creation_date": "2026-03-23T11:45:29.974197Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974202Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "683f0af364f8a19f81d2e095e17de6d403ba3672bdf4a1caf601bca5b57454df", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "22a41698-78c8-5c2f-9779-2564483cbf96", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614317Z", "creation_date": "2026-03-23T11:45:29.614318Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614324Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3f2fda9a7a9c57b7138687bbce49a2e156d6095dddabb3454ea09737e02c3fa5", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "22aad86c-63f6-53f2-b100-8806f8a5c54a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821844Z", "creation_date": "2026-03-23T11:45:30.821848Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821857Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aac9c11490da2ad5316469aa91943b42d019b51ff6f1d9d9767260abd075bb8f", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "22ab7e4e-5009-5309-b8d1-16878da04f4d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606847Z", "creation_date": "2026-03-23T11:45:29.606849Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606855Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8e38148ad4ed9946e8600b37f63996bf17c0101e3f50123b3b8513c895a4b521", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "22ac0514-acd4-55fc-91c4-347208a3ffdf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969924Z", "creation_date": "2026-03-23T11:45:29.969926Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969931Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2537f2ad83f5efc841ed75081d5dfffeb04eea92abfb9844adc091ff2a671b56", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "22cf99e1-2be5-5e4f-973e-9aa98085ad09", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830535Z", "creation_date": "2026-03-23T11:45:31.830537Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830542Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e100aa891445f18f4805dced7c4055aa5bee6c65995daa42a438349ccad6c3c", "comment": "Vulnerable Rentdrv2 Driver (aka rentdrv2_x32.sys and rentdrv_x64.sys) [https://github.com/keowu/BadRentdrv2, https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "22e0a162-a400-5bc5-9624-da03f676d009", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.471685Z", "creation_date": "2026-03-23T11:45:31.471688Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.471698Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e891e1acc02731e93da39f46bf24cbae1a30f1bcf4764ad7cf3b9eecdfc10c1f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "22e1d574-d320-5ffb-86c5-7ef7063f7ecc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143411Z", "creation_date": "2026-03-23T11:45:32.143413Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143419Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b49b7bcf44242dac00ca559dca217ec5d935b78c963f23bd0f49f53a610dd569", "comment": "Vulnerable Kernel Driver (aka PDFWKRNL.sys) [https://www.loldrivers.io/drivers/fded7e63-0470-40fe-97ed-aa83fd027bad/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "22e23e38-782f-5fb1-8d38-e45909c292ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982642Z", "creation_date": "2026-03-23T11:45:29.982644Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982650Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3", "comment": "Malicious Kernel Driver (aka wantd_5.sys) [https://www.loldrivers.io/drivers/3277cecc-f4b4-4a00-be01-9da83e013bcd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "22e473ce-86c1-5bfe-8024-32d659f2dba2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609447Z", "creation_date": "2026-03-23T11:45:29.609449Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609454Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1bd6a40e294f4f74f9baf172f5a3e21dad3b7e31b5757d91bda309bd54a72fbe", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "22e4c173-9e10-577c-99d7-25de69970f76", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819106Z", "creation_date": "2026-03-23T11:45:30.819108Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819113Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "058afe9e93dcc52e64fc0942b80a159b8617608c15462a7a17984de3cc0b8d04", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "22eac28d-8c9c-5022-8da7-52da7eca3403", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829429Z", "creation_date": "2026-03-23T11:45:30.829431Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829437Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47aadda1c6ccb26783e1bdd85623c62fe96a176bdfc57dfa48be41d23bfa9fbc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "22f69a9a-b3d0-5ab5-9c60-b469b8eb714f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833037Z", "creation_date": "2026-03-23T11:45:30.833041Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833049Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "60c22d313b7a2205957bd713870b8c92c63aef6ca68f408d8a6b4986defe5288", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "22fd6278-76cf-5ddf-b162-e1eb551b21e7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613684Z", "creation_date": "2026-03-23T11:45:29.613686Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613691Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "59626cac380d8fe0b80a6d4c4406d62ba0683a2f0f68d50ad506ca1b1cf25347", "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "22fff223-e55b-55d8-a96e-11a065670946", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487414Z", "creation_date": "2026-03-23T11:45:31.487416Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487421Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "09415d7d05fe9fd822bd538519e87285ce96bb25bd74e5f5f3e479c2ad575090", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "23077d69-5079-5c66-bd1d-a39653d84e63", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834080Z", "creation_date": "2026-03-23T11:45:30.834083Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834090Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8a73aaeb11ac9af921949053a51f15a1247d0d4d9b55ff95c9120e84c4d4d7e4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2311adfd-84be-50a9-a31f-48a910f32711", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807389Z", "creation_date": "2026-03-23T11:45:31.807392Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807397Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2c2d6db4ea006fce9886dc66103394b47653f5cf2517556d179f3eb10d9687f2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "232760da-2173-585e-85fe-288a05c92a71", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620964Z", "creation_date": "2026-03-23T11:45:29.620966Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620972Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8cb62c5d41148de416014f80bd1fd033fd4d2bd504cb05b90eeb6992a382d58f", "comment": "Phoenix Technologies Vulnerable Physmem drivers (aka Agent64.sys) [https://www.loldrivers.io/drivers/5943b267-64f3-40d4-8669-354f23dec122/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "233e24d6-f1a2-5470-a8fd-37ab66a0bb5e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968927Z", "creation_date": "2026-03-23T11:45:29.968929Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968935Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5bd41a29cbba0d24e639f49d1f201b9bd119b11f5e3b8a5fefa3a5c6f1e7692c", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2341efe9-9c27-5866-91ba-de14a436f405", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480751Z", "creation_date": "2026-03-23T11:45:30.480753Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480759Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd0bd7b8fae8e8835ba09118a02a06a51e111fccbe16916414844aab91cfeed4", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "23421092-b421-5be8-be73-bfcbaf552875", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142844Z", "creation_date": "2026-03-23T11:45:31.142846Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142851Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a0e1c390cd80d8e1e8552939d21f6710d21cca77a27ca7e393832ef5cf456bf7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "234f9fed-975e-5f7f-a788-c46d366b7904", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811008Z", "creation_date": "2026-03-23T11:45:31.811010Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811016Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9ae7bc61efe7325bcf37099ad877ea20abcc381d9d05492146c5e2764b11622a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "235cb634-b380-58d5-b14e-b9d9b3181f4c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153093Z", "creation_date": "2026-03-23T11:45:31.153096Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153104Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "879d4047295e37b3d185906588e0b7716097b45340e5244809cf0146599b9a6f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2365317d-1fbd-5069-af40-154f2bfdd34d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820284Z", "creation_date": "2026-03-23T11:45:30.820286Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820292Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ba182292c25044e9abc89bcd2a846a4cd74485ce0c26413e5a859c516f9d89e2", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "23715b8f-5e47-5729-8d93-1ae5aed6fe32", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819625Z", "creation_date": "2026-03-23T11:45:31.819628Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819636Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7833b719290b7a877b1ac54d2734037c92c2bf1d4ec5f62beb213b16fd1d4ab4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2377b464-487c-5009-b34f-30ca02bdaf6a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493994Z", "creation_date": "2026-03-23T11:45:31.493998Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494007Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a0c7f5abba359cd1db92da1eb19a5d269da2de0260f9687338071ebec00f2da5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2387bba0-4721-50bb-8240-323f484621c5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617378Z", "creation_date": "2026-03-23T11:45:29.617380Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617386Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "61580186311f6260c6de7fa5bf9242d74687aa1c5c9fdf9d9a48eb46d67d636f", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2388a1a0-2a65-5ac6-be3d-66d738f75860", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152668Z", "creation_date": "2026-03-23T11:45:31.152670Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152675Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "90e33eefb9c906e9930162b84a653a2503241956751184a94ab94d39f36516a2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "238e85b6-8c23-5781-a4a3-1692ebed5369", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455959Z", "creation_date": "2026-03-23T11:45:30.455963Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455972Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "742b102cc69403c669244f0efcf9ac8e5bbdb9b10f35f03c743651afe5ac32ba", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "238f9798-ecfe-5f5e-884c-34ebb284f9ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499108Z", "creation_date": "2026-03-23T11:45:31.499111Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499119Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d69c4a3d8bd38413868d5bd5d6d134b5e99f892c74ef61616498be8e7679a9f7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2394c20d-ec39-5646-9fea-99514be0732e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968527Z", "creation_date": "2026-03-23T11:45:29.968529Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968535Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c5050a2017490fff7aa53c73755982b339ddb0fd7cef2cde32c81bc9834331c5", "comment": "Vulnerable Kernel Driver (aka HpPortIox64.sys) [https://www.loldrivers.io/drivers/13637210-2e1c-45a4-9f76-fe38c3c34264/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "23a4f77c-53aa-5169-91b3-f79a6564af0b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155614Z", "creation_date": "2026-03-23T11:45:31.155616Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155622Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8c9058ca48a1ce381fe40f4dea553cf200ad3c146c16f83301ddcb8887b7269f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "23ac62d0-92b9-5f19-a1b0-1a51ecebcea7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160535Z", "creation_date": "2026-03-23T11:45:31.160537Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160542Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "138f9f8dbff592c83bd409fce1e6ca83890deead587205f94a656549d202a00c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "23b1a236-8b95-5747-aa05-29c2ab3dfb8e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477254Z", "creation_date": "2026-03-23T11:45:31.477258Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477269Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7086cedfb56414413595dc2ddd595fcced21d1de5412406add7b9f2ad7951951", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "23b4b8ca-9d2d-55b6-a44a-b906e25c3b74", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824515Z", "creation_date": "2026-03-23T11:45:31.824518Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824527Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "17564c465975cfded515991b4185606094eafaff3df48ea38fca6a27ddee4623", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "23b97a34-40c6-503f-af8c-0df284d4fb34", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826188Z", "creation_date": "2026-03-23T11:45:30.826190Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826196Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "21c51f1f1c7de816763f1c95757815bd9fc4b0c4ddb48b31ba1fb6f75c49734f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "23bb2d82-3dac-57b0-9683-c5c5b7eb64b8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976353Z", "creation_date": "2026-03-23T11:45:29.976355Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976361Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6839fcae985774427c65fe38e773aa96ec451a412caa5354ad9e2b9b54ffe6c1", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "23bfd105-acdd-5028-95b9-6dd26ee6eb9a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480028Z", "creation_date": "2026-03-23T11:45:30.480030Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480035Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c53b5f071de2bbc03387451052ab81bae9b8ec0a6e075c970600f791157b0b25", "comment": "Vulnerable Kernel Driver (aka gpcidrv64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "23c2a3eb-c7fb-5c68-948d-79d2092bfaff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835145Z", "creation_date": "2026-03-23T11:45:30.835148Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835158Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6cde9ccc57c594d23b20847c2ad76611a74ef7c682f28dcd20272b1ce802a1e7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "23d66f56-4796-557f-ac04-d52082a8c83a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615238Z", "creation_date": "2026-03-23T11:45:29.615240Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615245Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7af3585ca7c2dd65032fa48759a0124db2c5bbca5fc8caf8bb8f61fa5085149d", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "23e2fbf1-51fc-5f47-a686-b1fe34e654e3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816728Z", "creation_date": "2026-03-23T11:45:31.816730Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816739Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "05f6a7781481eb0ab9b893a1d5090ac23cb4738b449902f1f65467a560c0eafa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "23f3cac5-909c-5d10-a408-709b4fade607", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977392Z", "creation_date": "2026-03-23T11:45:29.977394Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977400Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c7079033659ac9459b3b7ab2510805832db2e2a70fe9beb1a6e13c1f51890d88", "comment": "Vulnerable Kernel Driver (aka ProtectS.sys) [https://www.loldrivers.io/drivers/99668140-a8f6-48f8-86d1-cf3bf693600c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "23f5fea7-cb0c-5db5-91ea-a91eeb5c57d7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967049Z", "creation_date": "2026-03-23T11:45:29.967068Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967085Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d166b6ffd164dbea53f0f588a979f4c5f1f2a1793fc10cda84a4530b7b22fd0c", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "23f67de7-eb03-5fe7-a246-3f38dc0d7f65", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156231Z", "creation_date": "2026-03-23T11:45:31.156233Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156242Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bafb67136ec3e5cb200f3ffe103b736f75995a2f6b87b384aa9dfa3501d9ec08", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "23fd0a5d-eb2d-56e1-9939-6afff5cf468d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469457Z", "creation_date": "2026-03-23T11:45:30.469460Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469469Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2bff494de18fb32985901a06a931dab92eda052172cf7c942cdd6da944b7a4ba", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "240f7d32-baa7-5bb5-afec-7d3a5ccf266f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474914Z", "creation_date": "2026-03-23T11:45:31.474920Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474932Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "35a8ceb54744e733a31b662d964f5cab22ea63ce77286ce141f9c2563bcf1209", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "24104255-627b-5f13-9530-5fd8719b5a3c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152159Z", "creation_date": "2026-03-23T11:45:31.152162Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152170Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "22c56a56f07d687685a3072c12dacccb3dad0c61c6148ce328727dd28f6da58c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "242517f2-7f2e-5810-831a-b960d4218d1c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459893Z", "creation_date": "2026-03-23T11:45:30.459897Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459906Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "07c0239c548fdabcb18ac3b54001edd0f8abffd8285e39662d7632a26456d58b", "comment": "Vulnerable Kernel Driver (aka VBoxMouseNT.sys) [https://www.loldrivers.io/drivers/ecabc507-2cc7-4011-89ab-7d9d659e6f88/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "24274ad6-70fd-5107-afee-8170fe3395cb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615932Z", "creation_date": "2026-03-23T11:45:29.615934Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615940Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c0fc1c1c1ff39ea9a695996482ab31cb65c74aaf9f20cba21e9ff34ef054a008", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "242e4963-cde5-5fe9-be28-17e303346cf1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983456Z", "creation_date": "2026-03-23T11:45:29.983458Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983464Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "146d77e80ca70ea5cb17bfc9a5cea92334f809cbdc87a51c2d10b8579a4b9c88", "comment": "Vulnerable Kernel Driver (aka t.sys) [https://www.loldrivers.io/drivers/65660363-0080-4432-abd9-64368dac0283/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "244668f1-96aa-513e-a858-ca3e60ae86c8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980220Z", "creation_date": "2026-03-23T11:45:29.980222Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980227Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9fa120bda98633e30480d8475c9ac6637470c4ca7c63763560bf869138091b01", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2457a838-4956-519b-aef5-48d77aafa717", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826525Z", "creation_date": "2026-03-23T11:45:31.826527Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826533Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a6c578ca720621ec6981160912e70e13a390f349d593135587fef9cfc34517ad", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "245864bd-b5e7-5dd2-8dad-ac3870829711", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495097Z", "creation_date": "2026-03-23T11:45:31.495099Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495104Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d5888073352e24be4718b0f28b1a4fde32ec3c0ff29bbda20213043bb4a3c6a6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "245b7c28-bae4-53a0-845f-0278000edf88", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821290Z", "creation_date": "2026-03-23T11:45:31.821293Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821301Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "73f34dad3342777c826f23a3e36384ec093395a9d1d2b28c1bf0a82a9bedd167", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2467e068-43d7-5717-9275-31caf05ba5ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618586Z", "creation_date": "2026-03-23T11:45:29.618588Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618593Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4b38c075ba6523502dfd39ed10757db58234a1c84d4952b65e30b4a8679bfcca", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "24680372-aa41-510d-9921-25dec8eed65f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970262Z", "creation_date": "2026-03-23T11:45:29.970264Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970269Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fca5f90ce2b210e6026cbf6f2c281fe17a08ddb2e936200847823ef83eaab1eb", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2470a35c-3229-52c2-a468-181abcf1ce3a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619303Z", "creation_date": "2026-03-23T11:45:29.619305Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619310Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab8f2217e59319b88080e052782e559a706fa4fb7b8b708f709ff3617124da89", "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "248cc669-35e5-5018-95e0-082bfc13355e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831621Z", "creation_date": "2026-03-23T11:45:30.831623Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831628Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d1b43ce1b90845a1a4af7c1ece3d2d69c84c0a7e83d0f59c880756bb098fca4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "248fe219-024e-5aed-9ce7-96f3ef8f2b21", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614472Z", "creation_date": "2026-03-23T11:45:29.614474Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614479Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3124b0411b8077605db2a9b7909d8240e0d554496600e2706e531c93c931e1b5", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "24b20cae-35a9-5bd5-961a-772ebf23b226", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827348Z", "creation_date": "2026-03-23T11:45:31.827350Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827356Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ad13e0a80edc24ae3c49b2c525cceef5aa73011c0aa8f09a15083c5a16229195", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "24b525fb-240b-526f-b856-c4a76d75d5ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148723Z", "creation_date": "2026-03-23T11:45:31.148725Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148730Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7bb22f60323c32d2b8b85c8d31aae9ea27e9a61c232b5d0cbda4893632fe513b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "24c22ac9-3ac8-52a0-be4b-1d8d7776ac6b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832040Z", "creation_date": "2026-03-23T11:45:30.832042Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832048Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "67cdfbe63f6dcdd24e4e2531cb082990d5c062f025dd05e711449eb38f4485f3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "24c702b6-536d-54f8-a38a-0087eddaaed6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613666Z", "creation_date": "2026-03-23T11:45:29.613668Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613674Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f929bead59e9424ab90427b379dcdd63fbfe0c4fb5e1792e3a1685541cd5ec65", "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "24ce6ed1-45ee-52e5-b799-612c9d1ad586", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467267Z", "creation_date": "2026-03-23T11:45:30.467271Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467280Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "89ec70089d61eccb9021edc6f1b50a9ef99196467a011e1dc7d0325aa51b7dff", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "24d85f30-810c-5c37-ad2a-7e5133f003d3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614076Z", "creation_date": "2026-03-23T11:45:29.614078Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614083Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cfcf32f5662791f1f22a77acb6dddfbc970fe6e99506969b3ea67c03f67687ab", "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "24e0b9c0-8a84-54dc-bfae-d67572c60c98", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157153Z", "creation_date": "2026-03-23T11:45:31.157155Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157160Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ca6955adf0cb9b059f228d1460b2647b34654a0bf4391ac874c3ec02aa86b74c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "24f21b1e-feb2-5414-8ac1-d162c9b17a5a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618514Z", "creation_date": "2026-03-23T11:45:29.618516Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618522Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "91ee89520105ccbceca6ee0e34070f28c8dc5a3d73ec65f384da5da4f2a36dc0", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "24f2ba77-8d4b-5fdf-9944-43336a97d16a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143742Z", "creation_date": "2026-03-23T11:45:32.143744Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143750Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bf1264cf5b9ca687a447a5021394db27eecf31f009185deb634b32f7ed49f620", "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "24f33bf0-bef2-58cb-bf4a-a3bca138d75a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.158897Z", "creation_date": "2026-03-23T11:45:31.158899Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.158905Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "24179779724d229c5a0a0a9ebd442936882496556ccb9ab5943aa9bfc63cf2a9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "24f4a8d7-6e98-5ec3-9b1c-9ba19d60ff76", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812011Z", "creation_date": "2026-03-23T11:45:31.812012Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812018Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "049b22ea9712994036b3240d026d85d9c4699ead7c593e66e5f845c51cc7e6d5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "24f821ab-2000-5aa8-83b9-0d2a4f4e8921", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461971Z", "creation_date": "2026-03-23T11:45:30.461975Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461983Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "accb1a6604efb1b3ce9345c9fd62fe717a84c3e089e09c638e461df89193ef01", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2506272d-ec09-5199-8431-9e6d5123a475", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143613Z", "creation_date": "2026-03-23T11:45:32.143615Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143620Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1698ba7eeee6ff9272cc25b242af89190ff23fd9530f21aa8f0f3792412594f3", "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2509a2ea-ece4-52af-9716-dcb806fef5ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617695Z", "creation_date": "2026-03-23T11:45:29.617697Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617702Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18e1707b319c279c7e0204074088cc39286007a1cf6cb6e269d5067d8d0628c6", "comment": "Cheat Engine dangerous driver (aka dbk64.sys) [https://www.loldrivers.io/drivers/1524a54d-520d-4fa4-a7d5-aaaa066fbfc4/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "250af9c6-1320-57aa-aaa1-21d48ec88415", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968367Z", "creation_date": "2026-03-23T11:45:29.968369Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968375Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "995284d05f947e2db58ece30b6d61653a2b94b2c337e5c75ca8315793e0b3955", "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "250bb6a7-a152-5de2-8bdf-c00186555d48", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146744Z", "creation_date": "2026-03-23T11:45:31.146746Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146751Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3a71944dd57948f2cda64fac2f9407f099dbd7744f5bdd7fe9500703af0fb553", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "250c1b07-af0f-5c58-b42d-d7ae7d6e8a85", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486105Z", "creation_date": "2026-03-23T11:45:31.486109Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486119Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd487838b9b0eb272db9dd09b40ef5826b523f9f48d44130b4c1a53ed2182323", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "250f1f91-222b-50fe-8ae9-a4086d2a5040", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145236Z", "creation_date": "2026-03-23T11:45:31.145238Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145243Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1726cc742dcad64d0993f833b26f7c314fb4b3ee999e7cdc371bde6dec26afef", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "251585db-48a8-5da7-b2c3-372879427e9e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495779Z", "creation_date": "2026-03-23T11:45:31.495781Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495786Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fbed48e78c6e4a9c190fc7b98b33b0b61890d8eaacc3df3c9f97f6f3430f8a8c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "251f9569-4927-597e-8cf2-ea160a03498c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833119Z", "creation_date": "2026-03-23T11:45:30.833123Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833132Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "de3fe9e38a3e471599a831f583c3f568f7ecb9629a1b57621028f6934a636047", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "25225aeb-b715-54d9-beb9-e75fea40a791", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973569Z", "creation_date": "2026-03-23T11:45:29.973571Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973576Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3e1d47a497babbfd1c83905777b517ec87c65742bee7eb57a2273eca825d2272", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "253b43ba-71c2-592d-8090-e29b589b0080", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817942Z", "creation_date": "2026-03-23T11:45:31.817946Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817963Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ed8c91ed5e634739ff0d5f61b058f5a043b3c50c8cd23ec9a76d1e6d562062a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2543e7d8-7d97-559c-8a88-8ec2eb942d0e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618948Z", "creation_date": "2026-03-23T11:45:29.618950Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618956Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ae065383a4ef5564a515d12adf18427f8d74cc15140edb95e5e2a51ca44fe42", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "25500730-e86b-5557-a2c0-d5694c8450b9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825698Z", "creation_date": "2026-03-23T11:45:31.825700Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825706Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "48b7d25417eef1ec854ef7fc7ce5a6009f5b85dfe0f849e8ef56251dc899f99c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2559c47b-d7bb-53fc-8128-6c54d58a1e46", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148041Z", "creation_date": "2026-03-23T11:45:31.148043Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148049Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd571311e5c8a420a53bdf0adb2b8a6542553c9d7c1434595875ad219bd3adad", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "255f6f88-fc97-5a91-822c-4d7ac63feaf4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828441Z", "creation_date": "2026-03-23T11:45:31.828443Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828448Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "98d90c58d6e7da9440f9bebfb6f2a6d7285a31f84acbae00c6d108b29a067b3a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2569b812-f931-5ce8-a3f9-68660c758131", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817206Z", "creation_date": "2026-03-23T11:45:31.817209Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817218Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e83731992993c9bd1ce619bf3afcafee07a2e35ad797a4300748b174a811a10", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "256aa586-78c1-551c-82b1-aee3653ba4a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.161075Z", "creation_date": "2026-03-23T11:45:31.161077Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.161082Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1dc0310211470fd0f20ef69db63b332e493edf11fa192d02bec6ff2a9a380424", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "256b7a81-ba5b-518b-8e09-48a6b3c5f286", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465540Z", "creation_date": "2026-03-23T11:45:30.465543Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465552Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "008fa89822b7a1f91e5843169083202ea580f7b06eb6d5cae091ba844d035f25", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "25707eb2-d59f-591b-b46b-6bdc769dff93", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817842Z", "creation_date": "2026-03-23T11:45:31.817844Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817853Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9450482ae96ad3b7b0fcf50f43c6a80be632643942aa044e58268eb5422b4219", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2570c2bf-f724-5f90-a9fc-8fe94ab74575", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491344Z", "creation_date": "2026-03-23T11:45:31.491347Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491355Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9e09866276f58c2807315c78bd035622a182ea95ebb80714af69ca884b6a1f06", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2577cf42-46f3-596d-8c00-33c7284e65e0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500010Z", "creation_date": "2026-03-23T11:45:31.500014Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500023Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f658233bb32c1e6b23b0e70dd84294a5cbc5d44e3907e355e1da7683660a4672", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "25839a57-1801-529b-9242-809a6a46716e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464598Z", "creation_date": "2026-03-23T11:45:30.464601Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464610Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4136f1eb11cc463a858393ea733d5f1c220a3187537626f7f5d63eccf7c5a03f", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2590ea5c-2a39-5aa1-b1f2-14357e60afea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969364Z", "creation_date": "2026-03-23T11:45:29.969366Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969372Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c0c131bc8d6c8b5a2be32474474b1221bce1289c174c87e743ed4a512f5571d4", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2591776a-0d11-5790-8358-9c49cdafd039", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475828Z", "creation_date": "2026-03-23T11:45:31.475832Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475842Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a0dfe6cc077baf31617f91334d12589801a98aaae7b712f7976df63e86e203e7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "259eab04-77cf-5108-a3e4-0365cc226ccc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822273Z", "creation_date": "2026-03-23T11:45:31.822275Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822281Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "20a18c56859638b8ea44319510a109cf02faa32295c5a9f4a0020de2b67d16b2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "25a0b46e-df5f-5fb3-a4ba-e2b172aba933", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480429Z", "creation_date": "2026-03-23T11:45:31.480433Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480442Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b285a125b15f81d584919330b277d70d22d3d01f187bb2c10029f0927ea67066", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "25a8189c-c3ca-5861-9603-0b261b889aa8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821521Z", "creation_date": "2026-03-23T11:45:31.821523Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821528Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d8edce22f1222f23d7884cd8b4ce2c01172317a356f270abf95907839491d97e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "25ad89a2-dc41-59cf-a148-7aae7f4305f5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475416Z", "creation_date": "2026-03-23T11:45:30.475419Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475428Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9e428c1d1cd7358e2c2f25ede45e718b22cb5d04634a4d1ec08a87e71248685b", "comment": "Vulnerable Kernel Driver (aka mhyprotnap.sys) [https://www.loldrivers.io/drivers/75a66604-f024-4f11-8ba7-fdd64a0df3bf/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "25b30dbe-b022-5a27-8841-4b5d11cd2b48", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155753Z", "creation_date": "2026-03-23T11:45:31.155755Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155760Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7cff7d3f12c0e6782d4875cf3efc18ad7c31676d16641de6d8d0275ba76058d4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "25b360ec-59f0-531b-ae3a-dd5c3061f565", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983010Z", "creation_date": "2026-03-23T11:45:29.983014Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983021Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c10c70be4e36fa9c98a4796c2b03db86398e2b07018550b7f0d58edabc553ad2", "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "25b3fe2c-4f62-5269-88b2-2c57290a8a05", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455989Z", "creation_date": "2026-03-23T11:45:30.455993Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456002Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "de09000bb9f5f81ff6c9ba239ea2498cff4e3decf6ae0220e4b0d64c3500acf8", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "25bab5ca-8907-54b3-a8f4-709658efcd5e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480244Z", "creation_date": "2026-03-23T11:45:30.480246Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480252Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cac5dc7c3da69b682097144f12a816530091d4708ca432a7ce39f6abe6616461", "comment": "Vulnerable Kernel Driver (aka GEDevDrvSYS.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "25c4c79f-0b0d-50d2-9a79-31e20ab7ed09", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981726Z", "creation_date": "2026-03-23T11:45:29.981728Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981734Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "49ed27460730b62403c1d2e4930573121ab0c86c442854bc0a62415ca445a810", "comment": "Vulnerable Kernel Driver (aka ProxyDrv.sys) [https://www.loldrivers.io/drivers/0e3b0052-18c7-4c8b-a064-a1332df07af2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "25c64d50-8972-5d79-af17-8be0d7a5a82b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476724Z", "creation_date": "2026-03-23T11:45:31.476728Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476738Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "14e49bc3781d1bd4a629c49d289f0753eeff1620183aff6878921d98411838d4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "25cd612d-e075-5ec4-802c-1d75ff73c1b1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460608Z", "creation_date": "2026-03-23T11:45:30.460611Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460620Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d21aba58222930cb75946a0fb72b4adc96de583d3f7d8dc13829b804eb877257", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "25cfdfe6-3621-58f8-b005-dc9da8087dc8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834845Z", "creation_date": "2026-03-23T11:45:30.834848Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834858Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "86ec1a34c5fc59f060905bd400a7b93f17ce035801aeff68084c362303cd8d63", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "25d47af5-c410-5763-b3e0-f4315cb3c8f8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617765Z", "creation_date": "2026-03-23T11:45:29.617767Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617772Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5bdba1561ec5b23b1d56ea8cee411147d1526595f03a9281166a563b3641fa2a", "comment": "Vulnerable Kernel Driver (aka netfilterdrv.sys) [https://www.loldrivers.io/drivers/f1dcb0e4-aa53-4e62-ab09-fb7b4a356916/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "25d8d234-ce5b-5ee6-9b0b-4da5e892db71", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475634Z", "creation_date": "2026-03-23T11:45:31.475638Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475648Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "987c0ae95c1a5af412dbf07f30fadc81c09e762ae030be0d40d178bcdae27869", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "25e75c18-8861-5a2e-9267-07eaeb6b340f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463098Z", "creation_date": "2026-03-23T11:45:30.463101Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463110Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7b846b0a717665e4d9fb313f25d1f6a5b782e495387aea45cf87ad3c049ac0db", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "25f9a628-61a7-5e33-8f9c-93ed5fec5a41", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836667Z", "creation_date": "2026-03-23T11:45:30.836669Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836688Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5503457b83080d56dec2577ea173015d4f947154898d7af3e3f3440d75497cd3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "25fb542c-0d83-5bac-b4c2-98003264ba4c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472885Z", "creation_date": "2026-03-23T11:45:30.472888Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472898Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "79440da6b8178998bdda5ebde90491c124b1967d295db1449ec820a85dc246dd", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "25fce0b8-a31c-5b3f-8f93-3272b92ddc79", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459587Z", "creation_date": "2026-03-23T11:45:30.459598Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459607Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8168304169a2453c0c3e0a285c2a07d3b3b83433e0342f6b33400c371af86221", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "26011834-75fc-5513-81c8-5d7abe8b447f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807660Z", "creation_date": "2026-03-23T11:45:31.807662Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807667Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "be3d34831f9c5756b5c4914113e191435a35482b56af72b97de05b26fd396496", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "260c36bb-031e-5c99-a909-cad0dddd3638", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467181Z", "creation_date": "2026-03-23T11:45:30.467184Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467193Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0820ae4ffc5258b49787423bd392cd29a6a77777b955dd210a41238b02f05c3e", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2624c951-7316-5756-814b-cedf761e77d8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810200Z", "creation_date": "2026-03-23T11:45:31.810202Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810208Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18cb010c716e03e8341ba43b4423695306d85b8723e7a89f5d8a73c6ddb25169", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "26250b78-d22a-568c-baf5-ea8e937f41c5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817914Z", "creation_date": "2026-03-23T11:45:31.817918Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817927Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0eadb6eff81dd20553f7564b31147af7064dc8f5b7d71407ca24c4783cd0ffd4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "263de15c-e0c5-5972-91e0-8308e333822b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491244Z", "creation_date": "2026-03-23T11:45:31.491247Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491256Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e7e358fee32f2437831f45baee3a8513c5f1e34b06d1b0442891600a338206bc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "263f7a4c-decb-5e71-bc2d-be9aa6cfa2b9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473842Z", "creation_date": "2026-03-23T11:45:30.473846Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473854Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3e307281c9f7329579988190e24a655b15bb2e60afc585109f05a79e5aba81a0", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2641b4da-7d0f-54aa-920f-25472d592ace", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828742Z", "creation_date": "2026-03-23T11:45:31.828744Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828749Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47b34c0c133155e7a36993a79f6f9d0edc174d64087385560f28b38f15e3b1f1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "264f52d1-382c-5b79-911e-187ae83ece5e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827820Z", "creation_date": "2026-03-23T11:45:30.827822Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827828Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "619bebecbd811dc30558beb48a9bfe437c4807b5bc34543a6b6b4f1ebc564445", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "26501787-413b-58d6-a82e-d1d9c84dde45", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978527Z", "creation_date": "2026-03-23T11:45:29.978529Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978534Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05", "comment": "Vulnerable Kernel Driver (aka AMDPowerProfiler.sys) [https://www.loldrivers.io/drivers/9a4fb66e-9084-4b21-9d76-a7afbe330606/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "265d45b5-1b73-5f18-967b-7c34b1ed731d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465765Z", "creation_date": "2026-03-23T11:45:30.465768Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465777Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "793b78e70b3ae3bb400c5a8bc4d2d89183f1d7fc70954aed43df7287248b6875", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "26822bab-ab21-5d71-afb2-98e01c88d1de", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984140Z", "creation_date": "2026-03-23T11:45:29.984142Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984147Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "91314768da140999e682d2a290d48b78bb25a35525ea12c1b1f9634d14602b2c", "comment": "Vulnerable Kernel Driver (aka OpenLibSys.sys) [https://www.loldrivers.io/drivers/2e4fedb0-30ed-400d-b4e1-b2b2004c1607/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "26884fc8-f8b5-536d-9e37-90a04d0a3081", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483689Z", "creation_date": "2026-03-23T11:45:31.483692Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483701Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "89c1821b4546ae1d1fb4e84c9243691309d8191164573e978887c211b29471c0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2688ae05-ac5d-5091-ad82-87d0b4cf8163", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827122Z", "creation_date": "2026-03-23T11:45:31.827124Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827129Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dac13ca91fa4f17531ce45e45bccec7002fdbe06e98024dcc381c776597e71f6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "268a1631-c5d7-546a-8b22-f8ba5bc4be4b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819708Z", "creation_date": "2026-03-23T11:45:30.819710Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819716Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d7c90cf3fdbbd2f40fe6a39ad0bb2a9a97a0416354ea84db3aeff6d925d14df8", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "268fa52c-572f-523f-8362-1f082a70d4a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142290Z", "creation_date": "2026-03-23T11:45:31.142292Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142298Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bc9a724d6d780f8ee8f7886d76af56c468d8f07ddaf73cbcdbe81c31a1dca48e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2696f880-975a-59b7-9a6c-49640b758c08", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476015Z", "creation_date": "2026-03-23T11:45:30.476019Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476028Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4cd80f4e33b713570f6a16b9f77679efa45a466737e41db45b41924e7d7caef4", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "26972ca1-43f9-59bf-a417-675280ad5003", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467122Z", "creation_date": "2026-03-23T11:45:30.467125Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467134Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7af0efdd72c68fdd105bb73be148ab7bf78a157cb1b241a85362a5bc5da91bd8", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "26a6443a-f007-57ff-9d69-cc9cb00469ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489428Z", "creation_date": "2026-03-23T11:45:31.489431Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489438Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "772d31d79540f53faf5ed28a387cc99e23407ab295d3693851fe965636c78e43", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "26aaf21a-8cd9-50e0-a94b-2e70e4581ad1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811814Z", "creation_date": "2026-03-23T11:45:31.811816Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811822Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "efc3f6440458ec128e330625cf51b5bda7b263d0e5e1cfef9afd30d72a9e73f6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "26b2151d-ada0-5833-ac6e-1bf1c701dd67", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493435Z", "creation_date": "2026-03-23T11:45:31.493437Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493442Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "03390ac3179dc0e5ab229aef1a92432fc1ffe9df1071b03428ca1a79e86ff8f4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "26b45be2-6bf6-5870-8a3e-0309852fabbe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140944Z", "creation_date": "2026-03-23T11:45:31.140954Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140960Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8d8efa46efdfdfc8f675d8c6e3a7e51e07ae18d12494eedd73bb6baf557fef30", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "26c36caf-918e-5c49-824c-6d2190f00e86", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142417Z", "creation_date": "2026-03-23T11:45:31.142419Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142424Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd8d5c2713d271898bbd78a5e0abf8986ae9c13745f825b3930c2ada5471f3d3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "26c50bb7-0e62-581c-b0f7-29f04cb44a27", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832497Z", "creation_date": "2026-03-23T11:45:30.832499Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832504Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7265f79ec6c42608f45fdf76ad40036961cd4f2dc363c4be17945072b609d584", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "26cc6f6a-c6a1-5e5c-b663-93b9bdfb420c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820670Z", "creation_date": "2026-03-23T11:45:31.820673Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820682Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "721355b5059f9d9848904d7e5aefd6699894572e124b64eefd7e85e24d4718e8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "26d63f78-52d9-5f3f-9472-18070b6219f0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619648Z", "creation_date": "2026-03-23T11:45:29.619650Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619656Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f8430bdc6fd01f42217d66d87a3ef6f66cb2700ebb39c4f25c8b851858cc4b35", "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "26dcffe7-19fa-5ecf-a693-d01afd4d363c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472583Z", "creation_date": "2026-03-23T11:45:31.472586Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472595Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aaf2de85b1b2273e7c8219501fb64d3a2e619482886f44943cf0a08249a9ad08", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "26e9eaca-e011-5b8c-9dcf-3d55a3bba399", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982325Z", "creation_date": "2026-03-23T11:45:29.982327Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982332Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e1980c6592e6d2d92c1a65acad8f1071b6a404097bb6fcce494f3c8ac31385cf", "comment": "Vulnerable Kernel Driver (aka winio64.sys) [https://www.loldrivers.io/drivers/1ff757df-9a40-4f78-a28a-64830440abf7/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "26eaa7ee-31ce-52da-9788-6487b7853f37", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480451Z", "creation_date": "2026-03-23T11:45:30.480453Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480458Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e6d1ee0455068b74cf537388c874acb335382876aa9d74586efb05d6cc362ae5", "comment": "Vulnerable Kernel Driver (aka GtcKmdfBs.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "26edeed9-0339-5a3e-bd71-040559cebecd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819544Z", "creation_date": "2026-03-23T11:45:31.819547Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819556Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0bda209a54ce2eefdee85a78d7ef74c6895df59d61491e61b8955792fbf00cf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "26f04b06-51e1-59a2-ab5e-d0788f75290a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156586Z", "creation_date": "2026-03-23T11:45:31.156588Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156593Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e18fb11eb435c9b2ebd3bf0798bf5e82c2d48c225e51a2f21190c36f94b32337", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "271bb663-62ed-53d7-902b-a7f7fcfc2c4a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494492Z", "creation_date": "2026-03-23T11:45:31.494494Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494500Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7ca6e8b9f468bb37760c53e11323052fe506f4290a4bae5d4a3ff6c59338bb6c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "271eb340-7270-57d5-96ac-ec1108392ce3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148060Z", "creation_date": "2026-03-23T11:45:31.148062Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148067Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "46fbac19393a95999b24bab3d0f6fa027781ece014aeb09197d2968b0b260a0b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "27283ed3-7201-5b9f-b086-f0c766515683", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463942Z", "creation_date": "2026-03-23T11:45:30.463952Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463961Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8684aec77b4c3cafc1a6594de7e95695fa698625d4206a6c4b201875f76a5b38", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "272f120e-e794-507d-93d3-da9e49da91c7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826999Z", "creation_date": "2026-03-23T11:45:30.827001Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827007Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e88fa4916eb1c2c5dede1a8a3ce2b868e6ed28b845c05694e54c136ab9a9fcc5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "27536930-523c-51ee-b6fe-09db02f7ceb9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144375Z", "creation_date": "2026-03-23T11:45:31.144377Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144382Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ccb6149fd214027de4fff2fcde8040b009d6c9e397523914a4512a8e71510a4b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2757b5f1-b6aa-5cb9-8fc5-52943094930c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480134Z", "creation_date": "2026-03-23T11:45:30.480136Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480141Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b9e0c2a569ab02742fa3a37846310a1d4e46ba2bfd4f80e16f00865fc62690cb", "comment": "Vulnerable Kernel Driver (aka IoAccesssys.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2762d5e1-3063-5305-a155-73a580ac208c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818172Z", "creation_date": "2026-03-23T11:45:30.818174Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818180Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b074caef2fbf7e1dc8870edccb65254858d95836f466b4e9e6ca398bf7a27aa3", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "27667b97-5ddc-5f3d-8f8d-b4ef2072d05d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981570Z", "creation_date": "2026-03-23T11:45:29.981573Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981578Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e2ec3b2a93c473d88bfdf2deb1969d15ab61737acc1ee8e08234bc5513ee87ea", "comment": "Vulnerable Kernel Driver (aka gametersafe.sys) [https://www.loldrivers.io/drivers/1ab1ec8c-1231-4ba4-8804-4a2cda103bb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "27671ae9-422c-59b8-9cb2-f15aa17b3f64", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471410Z", "creation_date": "2026-03-23T11:45:30.471413Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471423Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1997e2a6302f3196975f858fef63188a249f79b6c2982d31ae07405e8aada58f", "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/fbdd993b-47b1-4448-8c41-24c310802398/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "276755f2-5b5d-5a6a-85b0-9a65b6019104", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604772Z", "creation_date": "2026-03-23T11:45:29.604774Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604779Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "69527aa5ad089d9731e0054a32c9626a8d25416664f8d9b444bec674ba695ad5", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "277a237b-3f4b-5db9-8a7f-9962a2c1005d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973217Z", "creation_date": "2026-03-23T11:45:29.973219Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973224Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8907c476440abdd7f71feb068443a7c9736aa6bf625dfb8b6931c46341aa4abf", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "27b4489c-d4a0-55cd-a711-fe94c9f09d18", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828137Z", "creation_date": "2026-03-23T11:45:30.828139Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828145Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5c31418c493f33151a86bca000d364ef472a07650f87cbf02cdb1ed9915a9e6f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "27b74b27-493b-51ce-b86c-aa0aea168ea0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.478863Z", "creation_date": "2026-03-23T11:45:31.478866Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.478891Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "04bcb3a05961381a4e28a05901a21c6ce15437e59482db083b4e46dfc666722e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "27cf7ff6-ac99-5286-a09d-b03de2c32282", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970228Z", "creation_date": "2026-03-23T11:45:29.970230Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970235Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5eb493fc07a9573176f87297a002183d8e60104619a7b83940ce6e83ac54cd7b", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "27d19d51-37fe-55b8-ac03-a67ae9b674c7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807330Z", "creation_date": "2026-03-23T11:45:31.807333Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807339Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7de59866f3420467502e2bf8cab8171c9fc259f7380cb5a2c7d833d16d1e2edf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "27d749a8-0ed6-54a9-b581-dd5b7acb6f91", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454211Z", "creation_date": "2026-03-23T11:45:30.454214Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454224Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "752b31418053dc19c0573d16953d5ad24723bd57e5f62eff391e632548855b5f", "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/bc5e020a-ecff-43c8-b57b-ee17b5f65b21/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "27ecaede-842f-5c3b-9c7d-228ae9641950", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829845Z", "creation_date": "2026-03-23T11:45:30.829847Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829852Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7abb86c7ad13581e0cb1be79bb579efe786f1253a3fcaf6fae7607fe09bc34dc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "27f6ea07-4a09-5975-bf08-315e635e44da", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613065Z", "creation_date": "2026-03-23T11:45:29.613067Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613072Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b4d47ea790920a4531e3df5a4b4b0721b7fea6b49a35679f0652f1e590422602", "comment": "ASUS vulnerable UEFI Update Driver (aka AsUpIO64.sys and GVCIDrv64.sys) [https://codeinsecurity.wordpress.com/2016/06/12/asus-uefi-update-driver-physical-memory-readwrite/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "280076a1-ae2a-5916-9aca-916ed89c5618", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817634Z", "creation_date": "2026-03-23T11:45:31.817637Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817646Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a040bd51630fb46f624f359ea7cd6fe929816563f927f16ff125e23b1e2917bb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2806f6bb-58d0-5a3b-b9cc-70d097149010", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500362Z", "creation_date": "2026-03-23T11:45:31.500365Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500374Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dc876fa85717a697e284839410f09ee617bdfe62a75f9ca523ca6545093ab360", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "280ddff5-ef75-5484-8a3d-2fca7695d64f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470251Z", "creation_date": "2026-03-23T11:45:30.470254Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470264Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7adc0785210452664cb684b2c7687589090d31f2a3d0892e8e520145c0799110", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "280eca09-6c68-534c-a356-ba5178908770", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974315Z", "creation_date": "2026-03-23T11:45:29.974317Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974323Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eb14c5db8307488809897be13c66ef02941f6020f9c34a9664db92a00d551f4a", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "28129e27-5790-5199-8968-7ebf1df0e7d5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827658Z", "creation_date": "2026-03-23T11:45:31.827660Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827666Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "accd4f23f1b4ec1e16b5107fa7d59eefa1e901c38c1947afe4e132280710f539", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2824d10a-1f6b-533b-8757-6fad13e866e9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832782Z", "creation_date": "2026-03-23T11:45:30.832783Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832789Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d42a4554c469020a44eb69cd4ec99bcddb093193a7b75127f82fe2785581dbb9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "282df111-e5d7-50de-8a7e-8045a55ae115", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479241Z", "creation_date": "2026-03-23T11:45:30.479243Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479249Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2fb5d7e6db01c9090bba92abf580d38993e02ce9357e08fe1f224a9b18056e5a", "comment": "Vulnerable Kernel Driver (aka directio32_legacy.sys) [https://www.loldrivers.io/drivers/7a0842ca-1a64-4ad1-9d66-25eb983d1742/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "28371d22-67e8-575e-b9bc-35dd9cea87f6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827640Z", "creation_date": "2026-03-23T11:45:31.827642Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827648Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d05c17f5dc4ea2fe3f5bcca774e83fe8b521d1e6fad60ee5178810c40bd10cb1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "28382674-0187-598e-a00a-6f2270ed0c9c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615169Z", "creation_date": "2026-03-23T11:45:29.615171Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615176Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4a05ad47cd63932b3df2d0f1f42617321729772211bec651fe061140d3e75957", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "283e5bca-9901-5e4b-964e-c78cc7c5b22c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829696Z", "creation_date": "2026-03-23T11:45:30.829698Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829704Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "06ca3298bf7b70f797198adc31108fe95126fb37b12021e3e00390f60bb7181b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2842e846-f175-5aa4-a969-032d3b8f4e04", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140094Z", "creation_date": "2026-03-23T11:45:31.140096Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140102Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "34246ad7d90163e21633a7f76bc9709332a1b67e3263151263fc9f5f853891f4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "284688e5-29cd-594b-bc06-976b650c452a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606438Z", "creation_date": "2026-03-23T11:45:29.606440Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606446Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "703b4ec0a36c18af294f5db9e0acf73edec524515f75856bb8da7a98b4e26910", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "284b1cab-cbce-5dc2-9b80-1869174a4d2a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157548Z", "creation_date": "2026-03-23T11:45:31.157550Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157557Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7154523cf44a211b4b39b7e24f37368e83a67ef90fdc1b9553e0d850f0d08509", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "284d0c81-9673-548d-8e49-58b9a7834e51", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613012Z", "creation_date": "2026-03-23T11:45:29.613014Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613019Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0ed869a98c4cc2fc84deacb91ab87ca7657f0aea3e1c23234263e99237712fb", "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "285393c7-3974-5188-a0e0-4cd0b01b85d2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487594Z", "creation_date": "2026-03-23T11:45:31.487596Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487602Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0154a13245c9b2ce43c31de3c78e49d3d9de3fac1bed848520aae9d423d822e7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "285c71f4-484f-57f8-a139-754d50d9ab91", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473912Z", "creation_date": "2026-03-23T11:45:31.473915Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473926Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47e95a501379d5f835eef82a9fd7ed0e80a04a7a780e9bac73830965a89d5302", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "286359cf-919a-5ac3-9a9d-55d98db458c3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835789Z", "creation_date": "2026-03-23T11:45:30.835791Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835797Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b04d79bf5f1038113278d0f22f0d4a262e1416b52e8983e25dd1a6c226a99e2c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "28706d2e-50b2-51b9-94ea-5def0c1f6a8b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144753Z", "creation_date": "2026-03-23T11:45:31.144755Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144761Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "254c19c95c44c54d4bd33df6898245b44699a2121db520e621e9c140a358e8bb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2870aa4c-f10d-5a6e-9c10-645b843daf4d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815986Z", "creation_date": "2026-03-23T11:45:31.815990Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815998Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b047cd7bb68be8ddec660503d5b6f30f99b0091420a987cb6ff172b3fa6e4fd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2872703e-bc36-5ae0-8de2-78407291bb9b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486447Z", "creation_date": "2026-03-23T11:45:31.486450Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486458Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea15838c7281eb1afb472e7ea8801b8f32232a661153754aa69dafd98f534953", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2884afd6-ebca-5d79-aee7-2932a94663d1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822203Z", "creation_date": "2026-03-23T11:45:31.822205Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822210Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "82c86dccb438ae2f58d44fe34c5780fb02334ff0329868a28f55b85b18b1f47b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2886cab4-72f8-540c-bbe0-3c49982c9234", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970245Z", "creation_date": "2026-03-23T11:45:29.970247Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970252Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "00716eab8a3277128fb5ea8b1ac863e4b81b40674f7c6eb0f201e96341fd87c9", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "289001a0-3ef1-55c0-880f-42c3c1d99321", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472378Z", "creation_date": "2026-03-23T11:45:31.472381Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472390Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9c2b90cc27a96098b59ae89939e6adc00a8fdd69a9b43a23730e50571fe68abb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "28963a63-7d3c-5bc5-9a23-5530a85da16a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156962Z", "creation_date": "2026-03-23T11:45:31.156964Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156970Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c4de9d73720d02d54e0db5bd5bcaded5425bb73ef0886cfa8b74e48df921ee49", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "28a4b087-8491-517a-bd65-fcf74da2190e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146077Z", "creation_date": "2026-03-23T11:45:31.146079Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146084Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "37e3631303ef170f071203b4577a998e7390e3bcacf23d9dc5fee7252353dbee", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "28a87c3f-d4af-53b9-81eb-73750a75640f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153890Z", "creation_date": "2026-03-23T11:45:31.153892Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153897Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "163c5afcc5ef9d4561cb0ee04b85d0b8d2026423079c797484221a442194e687", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "28b03214-b2b3-5594-8709-4dc806d2e668", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968167Z", "creation_date": "2026-03-23T11:45:29.968169Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968175Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "06bda5a1594f7121acd2efe38ccb617fbc078bb9a70b665a5f5efd70e3013f50", "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "28cadc33-4e01-5cc4-9b99-02bd8b3517f7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156178Z", "creation_date": "2026-03-23T11:45:31.156180Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156186Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8bf703ff0947ef595d5bbb1a7a424a52384c5b0e84e3fe0214409fdddb978464", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "28d1d35d-5151-5d28-b28f-48422d5f2365", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807641Z", "creation_date": "2026-03-23T11:45:31.807643Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807649Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a44dd4e5c71952ee7939fcc946de0e9ccf9e63688145dbb42a0257bd4fb6a440", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "28dbf36c-5288-5f4d-b31a-267784752981", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618638Z", "creation_date": "2026-03-23T11:45:29.618639Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618645Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d9434a50e1a6252f23af362631a5576017cce3ef109d7fc93748de8bd46f9385", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "28f47e18-09f5-5def-8cd9-8269b4ea3304", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461441Z", "creation_date": "2026-03-23T11:45:30.461445Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461453Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c8926e31be2d1355e542793af8ff9ccc4d1d60cae40c9564b2400dd4e1090bda", "comment": "Vulnerable Kernel Driver (aka netfilterdrv.sys) [https://www.loldrivers.io/drivers/f1dcb0e4-aa53-4e62-ab09-fb7b4a356916/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "28f8596c-8777-5e2b-a3c6-d892c40ae168", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824744Z", "creation_date": "2026-03-23T11:45:31.824746Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824752Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "72a3e975efe38c77ad08dfd6157441a20fb019cabc9690a8ea581ce853b3e849", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "28fa2cac-d391-5fc8-9def-0d80a8681181", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827415Z", "creation_date": "2026-03-23T11:45:30.827418Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827424Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "55161795c5c581bdc27485517bab35b0833a77352863a78ae4f964f29eeb49ce", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "291fd1b8-1cae-5f23-a4a6-69e6332436bc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984769Z", "creation_date": "2026-03-23T11:45:29.984771Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984776Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b8d748834fb982fa033cd2671843de727999b21fad30979ac4acc4828910ef8b", "comment": "Dangerous Physmem Kernel Driver (aka AsrIbDrv.Sys) [https://www.loldrivers.io/drivers/31797996-6973-402d-a4a0-d01ce51e02c0/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "293bb433-d95d-5be9-bdd2-f9a5cceef068", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830332Z", "creation_date": "2026-03-23T11:45:30.830334Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830339Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e4c44e3bb181ff2a7eb2bc636f8329bdc23978c99d83187da0b0c1eeb938fd07", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2953ef13-5600-51a7-aed2-e4c9b852afb2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486719Z", "creation_date": "2026-03-23T11:45:31.486722Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486731Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d6464deb7e8579caa7fa5c082208afa742ac599b48b51339b55315f3e8ebf22b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2956366e-56a8-562b-a0a5-678ab3cd30b6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816594Z", "creation_date": "2026-03-23T11:45:30.816597Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816606Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c23ac21bfcf3bd7f76d4f3b91844ab35427a1a2d3bbaf93f7916edf7569e4b22", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "29691329-9ff2-51de-9ceb-2380494b9375", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498779Z", "creation_date": "2026-03-23T11:45:31.498782Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498791Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a7dbc0fa7f12095caae00bca5e1d9e51f226290cb993aad2f39fbc8db670a2a7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "296bc7b7-fab7-519f-b93b-70a424453b25", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614649Z", "creation_date": "2026-03-23T11:45:29.614650Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614656Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "79e2d37632c417138970b4feba91b7e10c2ea251c5efe3d1fc6fa0190f176b57", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "296e8761-5546-5b82-a8a2-52deea4971fc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494942Z", "creation_date": "2026-03-23T11:45:31.494944Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494957Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0bd3d995db6fbb4593d2ade20e4003b2e27ffad6a45f0a564bd9cf4ad7a8bafd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2974722a-2640-5131-8342-0e94a05cf11d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154536Z", "creation_date": "2026-03-23T11:45:31.154538Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154543Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eabb2df58b057820cc50c7dcf5d40e8a705b4b87034909f9f0e246ca01aa9e75", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2977d0cd-5454-5b73-b0ae-6a5020444b22", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457450Z", "creation_date": "2026-03-23T11:45:30.457453Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457463Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ed2d2c1b00e87b926fb58b4ea43d2db35e5912975f4400aa7bd9f8c239d08b7", "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2978634e-cab4-5ea5-8389-b51d38d6e6e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819637Z", "creation_date": "2026-03-23T11:45:30.819639Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819645Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2203bd4731a8fdc2a1c60e975fd79fd5985369e98a117df7ee43c528d3c85958", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2983778e-2354-55fb-95c4-e8e8dda0e606", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500787Z", "creation_date": "2026-03-23T11:45:31.500790Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500799Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8210ad8240cda74c5f7a4a328be2182ffe3395c3dd9b0882ad801715a5387772", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "29843084-aa9e-51d4-8192-c79b760012d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825529Z", "creation_date": "2026-03-23T11:45:31.825531Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825536Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "06b0976210196e847367d79c7bdc8ca9a8c078af7b5ad20cbfc61dbc0fb267af", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "29a6311c-8046-5d45-83ef-4fad95eff34a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983686Z", "creation_date": "2026-03-23T11:45:29.983688Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983693Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "159e7c5a12157af92e0d14a0d3ea116f91c09e21a9831486e6dc592c93c10980", "comment": "Vulnerable Kernel Driver (aka WCPU.sys) [https://www.loldrivers.io/drivers/7f645b95-4374-47ae-be1a-e4415308b550/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "29afccbb-b875-5d92-a880-906165790491", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828278Z", "creation_date": "2026-03-23T11:45:31.828281Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828290Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b63666ddf88d0b624170e3799d8bbb1013868b272a6a33d1e3228a458a17a9de", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "29d15e5e-eb16-5057-8ac1-9d4207e00314", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485676Z", "creation_date": "2026-03-23T11:45:31.485680Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485689Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d9ea84656fca35befae97f0320a3373ceeb6001cdb296e0b7d38e9032e571b6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "29e421e8-c55e-5810-8506-2e050cf1abe5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816191Z", "creation_date": "2026-03-23T11:45:30.816193Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816199Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5e3bc2d7bc56971457d642458563435c7e5c9c3c7c079ef5abeb6a61fb4d52ea", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "29f5a697-7650-57d2-992f-505712953bf7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142524Z", "creation_date": "2026-03-23T11:45:31.142526Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142531Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "139cf28440079aa09f659a9d29a3fc5800071d69fdbe57f0a07b42ec9baa6ea4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2a0b1644-6fa5-5e00-9b72-6ecfe006d24c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831036Z", "creation_date": "2026-03-23T11:45:30.831038Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831044Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8d5f1f60a027b52eedd8c48c003f193241f492970a078c0c8d9bbc1391efd9ea", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2a1f2b20-8cb2-556f-9148-e4225b967f66", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822657Z", "creation_date": "2026-03-23T11:45:31.822660Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822669Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1556dd49b3de1aa42158edd10ecc67cdc395d9ee87905562ea6b080a9ed429d9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2a2f6431-3538-5347-809a-04ab34479b4f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973861Z", "creation_date": "2026-03-23T11:45:29.973863Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973879Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a8027daa6facf1ff81405daf6763249e9acf232a1a191b6bf106711630e6188e", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2a3570d8-35a3-5499-a8c9-d5b09d3d2e78", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979619Z", "creation_date": "2026-03-23T11:45:29.979621Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979626Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "88b901ce8ee199bc371e9cf39ab5375d31c6881a25ba5827e9b32ba7946ecda1", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2a3faaa6-dc9f-5d6c-abf3-5f3d6b81832f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821639Z", "creation_date": "2026-03-23T11:45:30.821642Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821651Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5c9e257c9740561b5744812e1343815e7972c362c8993d972b96a56e18c712f3", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2a464168-06e1-5cda-a44f-d05e5c143707", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481289Z", "creation_date": "2026-03-23T11:45:30.481291Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481297Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bcf811040c7552a2c93409a6cd2d63f8abbae121acca012e0b7f4fdc0b6a6b8b", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2a541ac9-f8df-5115-b0c2-018022f632ea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486906Z", "creation_date": "2026-03-23T11:45:31.486909Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486918Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b28842c58a0845fe6cba9c76192f166454ede275d74942de18df2dd3a71eb2a1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2a601188-1f95-5eb8-bfab-13dd5b1a273c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144372Z", "creation_date": "2026-03-23T11:45:32.144374Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144379Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e8c5227d8827405e0e13a16bbacc6959edd3de95bc167566f742a6c221a0fe75", "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2a859023-f148-5ec1-b7af-4b3a9978fa34", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818680Z", "creation_date": "2026-03-23T11:45:31.818684Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818692Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eeca04c3c5d230fed7aa5cf9a4c5201d9253a6aaf8a68cdd8835b3d845024873", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2a8b8ac4-b24c-5521-8f7c-c559463dafe7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807623Z", "creation_date": "2026-03-23T11:45:31.807625Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807631Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9c1ec0557e0e5f59b30348ba919bf87feb938c2d1c5672d0aa67ebcd0f12ae86", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2a91d3b7-8394-598a-96f7-54c79ddfb442", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473338Z", "creation_date": "2026-03-23T11:45:30.473341Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473350Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "636b4c1882bcdd19b56370e2ed744e059149c64c96de64ac595f20509efa6220", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2a98a78f-6e36-54c3-9a22-bc9732e5bfca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818438Z", "creation_date": "2026-03-23T11:45:31.818442Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818451Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "716400501309b00b9003430749a2579b4c35867b6b8b383a83a8f7f76fe9f3d6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2aa40a11-9039-510d-8ddc-ada7a6b7a01b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612957Z", "creation_date": "2026-03-23T11:45:29.612959Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612964Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "25bc1b72ba6092674ec561d7de8f5e4a7adb23c29fa68de5b29a30a671257dac", "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2ab01bd4-47da-5cb2-ae69-c29e057f43ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971202Z", "creation_date": "2026-03-23T11:45:29.971205Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971213Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2ab22cbf-3327-5822-98fb-7620cbb1720e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613841Z", "creation_date": "2026-03-23T11:45:29.613843Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613848Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "df82f155376b4e95a3f497b7362ba6039c04d2ae78926f626dbe1a459bc626d7", "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2ab6e22c-f0af-53d5-8c43-ecd3d46c59c2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492431Z", "creation_date": "2026-03-23T11:45:31.492433Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492438Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8f7e34a971f2a2a3d473432d9cea4c8d6ec680184e2972230795a1f33406218d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2ac2a541-2fc6-5000-9215-4139ef1d61cd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817609Z", "creation_date": "2026-03-23T11:45:30.817611Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817616Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3678ba63d62efd3b706d1b661d631ded801485c08b5eb9a3ef38380c6cff319a", "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2acf40da-baa4-55f7-a6d3-12dc8f88069a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821908Z", "creation_date": "2026-03-23T11:45:31.821910Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821915Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e84886c82660f3bd9b6e04024251bfbb8dbc5690c567feb163cc751d5c00cc2d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2ae19c56-8543-5d7f-afc2-f7a040fbcec1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621651Z", "creation_date": "2026-03-23T11:45:29.621653Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621658Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0ee5067ce48883701824c5b1ad91695998916a3702cf8086962fbe58af74b2d6", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2af7c7d6-9b58-538b-9829-af0506a4b402", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614006Z", "creation_date": "2026-03-23T11:45:29.614008Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614013Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b179e1ab6dc0b1aee783adbcad4ad6bb75a8a64cb798f30c0dd2ee8aaf43e6de", "comment": "Huawei vulnerable drivers (aka HwOs2Ec10x64.sys and HwOs2Ec7x64.sys) [CVE-2019-5241] [https://www.microsoft.com/security/blog/2019/03/25/from-alert-to-driver-vulnerability-microsoft-defender-atp-investigation-unearths-privilege-escalation-flaw/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2af81a35-f15a-506b-aaad-ae8f3e28bcf5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464842Z", "creation_date": "2026-03-23T11:45:30.464845Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464854Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fefc070a5f6a9c0415e1c6f44512a33e8d163024174b30a61423d00d1e8f9bf2", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2b05261b-235b-5527-834b-8bed12ee858b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621513Z", "creation_date": "2026-03-23T11:45:29.621515Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621520Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "72322fa8bba20df6966acbcf41e83747893fd173cd29de99b5ad1a5d3bf8f2de", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2b0ba12d-b21b-5abe-957a-c358d33a6004", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500708Z", "creation_date": "2026-03-23T11:45:31.500711Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500720Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d70435e28f05a78a0cf513383da887cce3b4d311e1407149c72581cb00785aa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2b0de7f1-3c19-546a-b09a-938e620febe1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606249Z", "creation_date": "2026-03-23T11:45:29.606252Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606261Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c089a31ac95d41ed02d1e4574962f53376b36a9e60ff87769d221dc7d1a3ecfa", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2b1b146a-d57e-5e9f-8fa1-9d5bfc137679", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474396Z", "creation_date": "2026-03-23T11:45:31.474399Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474407Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b7282653f7af709a7740d785a93b1ea245ab26d177c1c4a58bf48b9fceae6204", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2b251617-d326-5f78-9a83-1ddaeb64d804", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612109Z", "creation_date": "2026-03-23T11:45:29.612111Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612116Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dbcad271feda00f614ef9866886cde83e9fffac6e76694fd052790541bb7e993", "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2b38124d-1062-5cc5-93b9-1784dd20bc34", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140690Z", "creation_date": "2026-03-23T11:45:31.140692Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140697Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e662bddd89c5886decdedb13b0037b88d5270bfeed1bafaa1e6c9199ab98fcc5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2b3a1fdb-e6d9-5175-9f91-e26c0c22c850", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464062Z", "creation_date": "2026-03-23T11:45:30.464066Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464074Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aaf04d89fd15bc61265e545f8e1da80e20f59f90058ed343c62ee24358e3af9e", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2b4716eb-45a1-5704-9a6f-380db688d587", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146656Z", "creation_date": "2026-03-23T11:45:32.146658Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146664Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e42c8cb410a7ed653cfe62bbd8cf191f31a47337fe1ffcc35232d03f2da05ef", "comment": "Vulnerable Kernel Driver (aka isodrivep64.sys) [https://www.loldrivers.io/drivers/0144dbef-1da8-406c-8e35-7afee57dc471/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2b5146da-a38a-5c85-b236-6643f1c3066d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484389Z", "creation_date": "2026-03-23T11:45:31.484393Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484404Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dec60f8994b1773fcdf3fe19aa88288eae060801f38be150e789d6fbbec594f3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2b67c2da-a992-5868-9157-d85c58840512", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977622Z", "creation_date": "2026-03-23T11:45:29.977624Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977632Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cff3fc66d54279b755ceedf89268847dbb5139227739e4689f5d9271b1d7923b", "comment": "Vulnerable Kernel Driver (aka CorsairLLAccess64.sys) [https://www.loldrivers.io/drivers/a9d9cbb7-b5f6-4e74-97a5-29993263280e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2b8441e5-e033-5cb8-b8d8-1bc47883240c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493708Z", "creation_date": "2026-03-23T11:45:31.493711Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493721Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f5bf5496e3d659e3c2e2e307eed9950313aa786993b5ddda1c57ad63b845cc2f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2b8e6f7d-929c-56bd-ac32-d072c299cb09", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815624Z", "creation_date": "2026-03-23T11:45:31.815626Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815632Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c90eaa11eeb28ab56835396f73ce0b6cc53b16763b6458cd9785c7611e1bc5e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2b9814c4-ac15-5d6b-814b-ae9c1bf43a71", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827748Z", "creation_date": "2026-03-23T11:45:31.827752Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827760Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d6e12d25d540bcdcacfdc5b002ec1c143bfbc27ac1b245ba4c4b02cf0aad68be", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2b9aa810-44f3-5154-804a-2c95520bba88", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816339Z", "creation_date": "2026-03-23T11:45:30.816341Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816347Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1072beb3ff6b191b3df1a339e3a8c87a8dc5eae727f2b993ea51b448e837636a", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2ba4de36-e541-5562-9938-f56fefe825aa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480047Z", "creation_date": "2026-03-23T11:45:31.480051Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480060Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4e9f8dba42f74f39e47db54d329e72eeedd4099ec19e07ed6118ea4226dcc89b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2baca094-5735-5f83-bf9e-37a9d250417f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481326Z", "creation_date": "2026-03-23T11:45:31.481330Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481340Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "295b4bb1caf0ae8e2899d4a0d8993b89a8c8a49545c6189a7a159df1c53e35be", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2bb28b0e-7192-5fd1-b368-945713324554", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479404Z", "creation_date": "2026-03-23T11:45:30.479406Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479411Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b9ae1d53a464bc9bb86782ab6c55e2da8804c80a361139a82a6c8eef30fddd7c", "comment": "Vulnerable Kernel Driver (aka segwindrvx64.sys) [https://www.loldrivers.io/drivers/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2bba6706-e84e-5e31-89a4-cad3682dfe0a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817142Z", "creation_date": "2026-03-23T11:45:30.817144Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817150Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "478bcb750017cb6541f3dd0d08a47370f3c92eec998bc3825b5d8e08ee831b70", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2bbb4aa0-da50-567a-98d7-7dd04b24bf1a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487843Z", "creation_date": "2026-03-23T11:45:31.487845Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487851Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd558e1672f27fe33be51a323270220d801faa7a5161325b3f209a57165c2276", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2bc26081-95be-5d44-a561-06ac2d24800a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825022Z", "creation_date": "2026-03-23T11:45:31.825024Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825030Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47b1d7407df6ae4e63d4a70c894fde455f8e93382ce2bb266a0b558e87c5215e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2bc518ec-b0db-5c71-9c61-ecc662ba8092", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818049Z", "creation_date": "2026-03-23T11:45:30.818051Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818056Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bac7e75745d0cb8819de738b73edded02a07111587c4531383dccd4562922b65", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2bd8df8d-38a9-5afc-9f94-c20ce89e8da2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150018Z", "creation_date": "2026-03-23T11:45:31.150020Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150026Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a05d43c56290c41bd2eb75c19d32da821a055aa05c3b5bca2af047bd7cf01fe5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2becde35-7ed3-52c6-b3bc-f1bb773110ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981076Z", "creation_date": "2026-03-23T11:45:29.981078Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981083Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3b19a7207a55d752db1b366b1dea2fd2c7620a825a3f0dcffca10af76611118c", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2bf002f5-8d92-5942-83f1-e21ed0e1773c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622002Z", "creation_date": "2026-03-23T11:45:29.622004Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622010Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7ebc5906d7fd9c606dc6ef9b49f3e57b63af838f5807fcdcdd5ff47b5b05e39c", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2bf9e2cb-de54-54eb-ac80-a2457b55239d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455700Z", "creation_date": "2026-03-23T11:45:30.455704Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455713Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8dcec67a1f4903981c3e0ab938784c2f241e041e26748e1c22059e0e507cfb37", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2c03667b-6c4b-5e6f-9b6a-46a9f437d2d7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973535Z", "creation_date": "2026-03-23T11:45:29.973537Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973542Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "385485e643aa611e97ceae6590c6a8c47155886123dbb9de1e704d0d1624d039", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2c07fd5f-b564-5da6-845d-e4dfb5461d6b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.478005Z", "creation_date": "2026-03-23T11:45:31.478010Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.478020Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5075bbd95d7f849fceb89e8d8ee6e471f43f38f10e73ce0051c430860fd8bf82", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2c0e5f36-b170-519b-9d56-7547d9f9149a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970193Z", "creation_date": "2026-03-23T11:45:29.970195Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970200Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f8e307f2af1c1ae3d5ef6581e651823e3b6bfb9d7b565353cbd50e455c1dc9c8", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2c11ca77-7e61-5be0-92c9-3ac811bc4926", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819411Z", "creation_date": "2026-03-23T11:45:30.819413Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819419Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "909f6c4b8f779df01ef91e549679aa4600223ac75bc7f3a3a79a37cee2326e77", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2c19b064-0ba6-50e5-bbf2-d490e7d111ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972353Z", "creation_date": "2026-03-23T11:45:29.972355Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972361Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7cc54914473d7c75a483c5672655bd9df2ce20b556a0d92c6e4cb8722ab1647b", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2c1b3711-43cc-5bd3-a4f2-38e5fa9f4a0c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980567Z", "creation_date": "2026-03-23T11:45:29.980569Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980575Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bedb1e28fd1cdf391edc859c58cb318a9ab686f254195246909b245e7aaf7669", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2c296f4f-092b-5712-9a72-5f6b814e6311", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495853Z", "creation_date": "2026-03-23T11:45:31.495855Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495861Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "28655efe3e72526fc4262af0ce8796e97afc40670f9f07cc0d3a6757ccf01b8b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2c298533-10ab-55ea-91a9-0cea427041a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985268Z", "creation_date": "2026-03-23T11:45:29.985270Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985276Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1fd7a44b042d397ad5a6417e4aa4b30eb2e40df6274d3ac7155ecc68c88cdb6d", "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2c2bc3d1-876e-520c-9924-2a7d6f490f64", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831901Z", "creation_date": "2026-03-23T11:45:30.831903Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831908Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "17f56891f409d185f9932c314c74fe4159f1bd98ef9461fb27cc6d43cdc051ab", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2c4430c1-f79e-5c07-a7f1-c2e8015a8dfe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140170Z", "creation_date": "2026-03-23T11:45:31.140172Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140178Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3547ced5aba570748d3afc0b1c50d4303da5a7310bb184acffdc0e4a2a6df2d0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2c4b3f28-312a-564e-83ab-9c1aef5d36cc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807427Z", "creation_date": "2026-03-23T11:45:31.807429Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807435Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "14841bd8f99ccfa7bd0498fa61b94be442b89a275ff658728f3c200ba7453f87", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2c586110-3801-595a-b9db-140ecdbb1518", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144861Z", "creation_date": "2026-03-23T11:45:31.144863Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144879Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "be0acb944b14fae853a06873bb74b3f0b4b9e9953f1ed190f4c870321abb55bb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2c69ad6e-25b6-5017-97de-e050310052af", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980646Z", "creation_date": "2026-03-23T11:45:29.980648Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980654Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d2e10e17bca5e85e6b84345b47aab14adf45d98c672db6acf90479a7faf20b5a", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2c69dfec-5f73-5df3-a6fd-7c1beaeaf066", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822764Z", "creation_date": "2026-03-23T11:45:30.822766Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822771Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "811f82960814c21949534fc1808e341a5b22caf52a094e5e427dac3aa6c7aa73", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2c766cfb-3e01-5c7d-86d7-7d5e83c04a37", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811880Z", "creation_date": "2026-03-23T11:45:31.811882Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811888Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f3f57d2b8ee90e6abf95a794068b078cb460404b7bee8ebffb6af770e01ef755", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2c92ca5c-5459-5868-8526-834399dde287", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824847Z", "creation_date": "2026-03-23T11:45:30.824850Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824858Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "de86f46cbe03899317ca5eea86d1d097e544981ebd4dd4e877fc4172331a0316", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2c98ebff-946b-5325-9fe2-5942ea795da8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498334Z", "creation_date": "2026-03-23T11:45:31.498337Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498345Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3e5fc71ec72058d01e32845ea0face48d6c2db299d12d3e0a934aa2ae88cbfcb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2c9d0d07-0bf1-5b43-afd8-90f4787163ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608352Z", "creation_date": "2026-03-23T11:45:29.608354Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608359Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d1d632fec82d0d2e3caf808d0d63dd4e5e6e646011d7223b64fc8a396e3bb127", "comment": "Vulnerable Kernel Driver (aka EnPortv.sys) [https://www.huntress.com/blog/encase-byovd-edr-killer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2cad807a-cda1-51f3-a388-295c88e6161d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818765Z", "creation_date": "2026-03-23T11:45:31.818769Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818777Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7c24049cf3a07da50239e60c6613bb8c1ed1334d26a194a2a74b531a12fd8062", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2cb3846e-9388-5a91-92f7-d43c72264947", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817232Z", "creation_date": "2026-03-23T11:45:31.817234Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817240Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "950600f5b8c3d412f8d323761a37d924ce21d7044e1d60751f12a760a9c576a2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2cbfe323-e6ef-5a51-8661-b5a1669bb773", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492356Z", "creation_date": "2026-03-23T11:45:31.492358Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492363Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "be0e9d9ffea406e92801dd5db568baf4ba033e0b519b7991f6f3e14cc107a719", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2cbfecb3-7437-5357-8676-ccbddd697a9b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818469Z", "creation_date": "2026-03-23T11:45:30.818471Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818477Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "582b62ffbcbcdd62c0fc624cdf106545af71078f1edfe1129401d64f3eefaa3a", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2cc87e45-adb7-5990-8459-9a83bf8fb153", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480806Z", "creation_date": "2026-03-23T11:45:30.480808Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480818Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5be106b92424b12865338b3f541b3c244dce9693fe15f763316f0c6d6fc073ee", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2cd642e0-f30b-5d4a-ad70-ddf9ce4ab906", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812408Z", "creation_date": "2026-03-23T11:45:31.812412Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812420Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "96c45ce5fbbf8f5ac78b1fd7c3018a155158699209ccfc76c75e781e79063197", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2cd70ed8-437c-5b22-8dcf-5316cd4f3006", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977747Z", "creation_date": "2026-03-23T11:45:29.977749Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977754Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e86cb77de7b6a8025f9a546f6c45d135f471e664963cf70b381bee2dfd0fdef4", "comment": "Vulnerable Kernel Driver (aka Lv561av.sys) [https://www.loldrivers.io/drivers/47a351ee-8abe-40d8-bc2b-557390fa0945/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2ce38a23-d8db-5b66-9565-df1c397d663c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825687Z", "creation_date": "2026-03-23T11:45:30.825689Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825695Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f256356057405d71b89957a70fe19839aefc306a9031a96ad88d0cc9984e316", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2ce71100-4a00-534e-ace0-3c5bc3bfe386", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822442Z", "creation_date": "2026-03-23T11:45:30.822444Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822449Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "da99d80082f3492080cd036d121d6d017b9e8d09edcd59e099b1755aa7e9be16", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2ce988f2-c60d-50c8-b76c-bb80567d8dc2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619683Z", "creation_date": "2026-03-23T11:45:29.619685Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619690Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1deae340bf619319adce00701de887f7434deab4d5547a1742aeedb5634d23c6", "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2cead37d-a579-549a-a769-670133d2de75", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823257Z", "creation_date": "2026-03-23T11:45:31.823260Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823268Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a051ab0a007d473083fac3cb8b7ef1a1a89af0a55b77e1795c5ea3917c4280cd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2cf3c576-3535-5b70-887e-7f8530b64044", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481197Z", "creation_date": "2026-03-23T11:45:31.481201Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481211Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eb270e71a7af28e15663fee5aead3ecdf17107d57fe6a3ea70fc47085bfadfeb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2cf45311-f53d-532f-87a4-e3545d422448", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825887Z", "creation_date": "2026-03-23T11:45:31.825890Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825896Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9cdf3495a1bb54e0c4393144d9a03c1a677e44e1a4bd9a25535f11af95055d7a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2cfa0b06-3d5e-51a9-a287-9c20cc2a4701", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472951Z", "creation_date": "2026-03-23T11:45:30.472954Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472963Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "40da0adf588cbb2841a657239d92f24b111d62b173204b8102dd0e014932fe59", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2cfe9432-2983-56d3-9095-235d3d2a22f2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472025Z", "creation_date": "2026-03-23T11:45:30.472028Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472037Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "65deb5dca18ee846e7272894f74d84d9391bbe260c22f24a65ab37d48bd85377", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d005334-b6cc-5a6b-b1bb-5533904dba30", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825888Z", "creation_date": "2026-03-23T11:45:30.825890Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825899Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "365ab6a51b569492922d452c351c3c2b6a2cca74dd2078d9905bb9065d374bab", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d0167f1-3c42-5192-8ea3-64162ac93d73", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829079Z", "creation_date": "2026-03-23T11:45:30.829081Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829086Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e4f8ebedf80fdb13ccff95bfa4dc85feeb9b09e4dc5b4ede71a17e13796e5fe5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d0bed4a-ab1a-539b-b8fb-3ab612a9692e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822237Z", "creation_date": "2026-03-23T11:45:31.822240Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822245Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a14f1b5d2f9de3246277b7a1257933ade03c6c2e2f6f4a5b28529f23126a706c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d0d8f06-f34e-53bb-a7bc-c7fb849747aa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815455Z", "creation_date": "2026-03-23T11:45:31.815457Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815463Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eae1c884154b86ecf7bf42672704dafad2c9c276d67da490a127ea8fe17e0ede", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d0db0dd-6418-5ec1-ac67-44a9fb874a38", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974592Z", "creation_date": "2026-03-23T11:45:29.974594Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974600Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d3227dc2e8f83258810cf43719f02a8d52648eb17939fddd79fd70155a47305d", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d18ced3-9ca5-5f6b-bf51-e188d0bbb008", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604754Z", "creation_date": "2026-03-23T11:45:29.604756Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604761Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c725919e6357126d512c638f993cf572112f323da359645e4088f789eb4c7b8c", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d22a591-e95e-5534-b3e8-c9efc27060f4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469515Z", "creation_date": "2026-03-23T11:45:30.469518Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469526Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab5b4c34bc49b3ae9c6a7607d97b2bd63d9a1b3c669ef18c8865c8a50a3254a9", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d27399a-5782-5e4f-93c0-4ff83d9ba94c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.603867Z", "creation_date": "2026-03-23T11:45:29.603884Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.603890Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "35a12d81f7062a22644b500d91b1603b4f97756ad165c3ea571e7fef55c24162", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d287735-a79a-5370-9984-8e5b12bc423f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616668Z", "creation_date": "2026-03-23T11:45:29.616670Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616676Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3cb75429944e60f6c820c7638adbf688883ad44951bca3f8912428afe72bc134", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d326022-537d-5b39-b94a-e45fe2370021", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145800Z", "creation_date": "2026-03-23T11:45:31.145802Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145807Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5c06f28debb4b70eda58fcc200135f50d3dc4fbc7dd0d9f71180cd81fdcc871f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d38ae6d-4d9f-5ed6-ad9f-6132bb960f2a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468583Z", "creation_date": "2026-03-23T11:45:30.468586Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468595Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "058c84860fb9fefd4c5cec57b6ef9f43146a6509b6894f2a27fb5a2dd16d578b", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d4a8c8f-d2ab-5a1d-8b79-38f79dbee7a6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150409Z", "creation_date": "2026-03-23T11:45:31.150411Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150416Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "535a9cfd2cd3809db4ed92b8e64769ca9bf10aa9cd75e9e4ae500188706813cb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d4cd469-62d1-58f3-96dd-1355ef03bc42", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822362Z", "creation_date": "2026-03-23T11:45:31.822363Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822369Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "52ea7d44f5d0945b92a34c705495fa8f8aa9b2f45f2b22598d1e7f5e3f524376", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d4d7869-dab0-5a46-907b-986e430a6bad", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984174Z", "creation_date": "2026-03-23T11:45:29.984176Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984181Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "db68a9cbe22b22cba782592eef76e63e080ee8d30943be6da694701f44b6c33e", "comment": "Vulnerable Kernel Driver (aka OpenLibSys.sys) [https://www.loldrivers.io/drivers/2e4fedb0-30ed-400d-b4e1-b2b2004c1607/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d502764-a8b3-5628-b5cf-5bde97eb0555", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470011Z", "creation_date": "2026-03-23T11:45:30.470014Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470023Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3de9802a0a1f2da67908a69b4face53b2e62d8106d7c8e2f1d4acfd0a0694f26", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d51173b-5a18-53b4-a479-393f09876f42", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969699Z", "creation_date": "2026-03-23T11:45:29.969701Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969706Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "128bf3838267c86c8163f82f087e564814228288702e08b31ec26dc7525159ac", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d5531b0-f5dc-5d00-8186-017b93bd5d38", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479133Z", "creation_date": "2026-03-23T11:45:30.479137Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479147Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b205835b818d8a50903cf76936fcf8160060762725bd74a523320cfbd091c038", "comment": "Vulnerable Kernel Driver (aka rtkiow8x64.sys ) [https://www.loldrivers.io/drivers/998ed67c-9c20-46ef-a6ba-abc606b540b9/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d66d5c6-326e-50b6-a324-0173c22195d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481345Z", "creation_date": "2026-03-23T11:45:30.481349Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481364Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e26a21e1b79ecaee7033e05edb0bd72aca463c23bd6fdf5835916ce2dfdf1a63", "comment": "Vulnerable Kernel Driver (aka phymem_ext64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d74c0fa-f4c0-5dbc-9d5b-be832bbccafb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825906Z", "creation_date": "2026-03-23T11:45:31.825908Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825914Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e54dd3504b5793374e6a86f6e3bca9cc65adc933966650228bc85aadb4f62db3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d76d0e1-a4a7-57c8-979f-3e67cbe165ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610811Z", "creation_date": "2026-03-23T11:45:29.610813Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610818Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "deecbcd260849178de421d8e2f177dce5c63cf67a48abb23a0e3cf3aa3e00578", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d7d47dc-f469-5ba6-ba98-14f33c00f5c1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150858Z", "creation_date": "2026-03-23T11:45:31.150860Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150865Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "068b16fe0621a588c76f8c3f5d8c60a5508e59deef745823a8678c8f2eace2f5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d81f1a6-0b49-5857-873c-7ea236c7621b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833234Z", "creation_date": "2026-03-23T11:45:30.833238Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833246Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8a131c92a1a03f5b8270c022d3a037e27e3ac8e94fef4f03c35b533f2115e7b2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2d8ab166-a8df-59f7-ade7-71173e028b12", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809135Z", "creation_date": "2026-03-23T11:45:31.809137Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809143Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5928478c14a1f50542a9c2e5dbdc6a8419e6c8ae79e3aad1209957cdb53bc136", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2da6c0d3-0eca-5574-89b5-5acf10b6c3b5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814363Z", "creation_date": "2026-03-23T11:45:31.814366Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814374Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "31e47907cb77b4f47b90b1f1d83708970ba9c75003605217e2c5cdadaf01ad9e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2daf1f42-7c01-54f7-b8e1-ae81755d50c4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819756Z", "creation_date": "2026-03-23T11:45:31.819759Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819768Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b3e4c6da318fd5a2a0942d19af1acfad48a0bec8a110f9d32c28513841e3f9f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2db32db6-e021-5ff9-be08-f8294763e1e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970582Z", "creation_date": "2026-03-23T11:45:29.970584Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970590Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ecee4ac0ca126487abd39bd461e160118a33f68466128d695ecfde7eca0c340f", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2dc7ad67-af79-5a5c-84d9-fa2dc9bc7982", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489965Z", "creation_date": "2026-03-23T11:45:31.489968Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489977Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a23f56d5fc0fc9bcaabd5943d042241ceac855257f87e4439637bbd769364954", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2dcb60df-aa07-5992-85de-4fd619d494f8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614543Z", "creation_date": "2026-03-23T11:45:29.614545Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614550Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47f0cdaa2359a63ad1389ef4a635f1f6eee1f63bdf6ef177f114bdcdadc2e005", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2dce5400-3603-5c20-8638-31d53de3e450", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488552Z", "creation_date": "2026-03-23T11:45:31.488554Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488559Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8cdce30ffc719e709b8de1d4146b700d71994e58cccba28e9a24b657708d5cd2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2dcf9b0d-1640-5cd8-ba9a-ced1bfb15ec8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.147168Z", "creation_date": "2026-03-23T11:45:32.147170Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.147176Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e44657710d6e525f6807eb32ae74ba8fa4578574e60bd82774bf4b735adf70eb", "comment": "Malicious Kernel Driver (aka AppvVStram_.sys) [https://securelist.com/honeymyte-kernel-mode-rootkit/118590/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2df56d32-b564-5249-ac26-77f766ee0afc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145290Z", "creation_date": "2026-03-23T11:45:31.145292Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145297Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "62536485cdd116a9be1d739fc0136e62d33a4d95eda68727166b717f2560ff2a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2e1803f1-74a8-5c29-952d-3a079b2969ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819158Z", "creation_date": "2026-03-23T11:45:30.819160Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819165Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "36d8d27d2ee91c45502d3a6688afc5c09b2b9776232074e65bd813a230eb37d1", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2e1859bd-abce-5486-bb40-de526449a23c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490297Z", "creation_date": "2026-03-23T11:45:31.490299Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490305Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "701e9df3097b53de461ba7a61e5499443e57a0cfe6ead7cd4ebbd1867a8c71e4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2e22a42c-517a-5762-9d86-6b014106f512", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620295Z", "creation_date": "2026-03-23T11:45:29.620297Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620303Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "76fb4deaee57ef30e56c382c92abffe2cf616d08dbecb3368c8ee6b02e59f303", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2e24b4f7-c09a-52c8-b698-653c0f2547f1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492448Z", "creation_date": "2026-03-23T11:45:31.492450Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492456Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "400c4daae47f29a340154e2e5ebcacce436f0f00067fcb528c9acbe281f5d8ec", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2e3473bf-5c8d-5b96-a585-532d5b7629fc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.161146Z", "creation_date": "2026-03-23T11:45:31.161148Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.161154Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f268e679640e2be2c2f10153fe2bb866a76e63ec7237552377e00121579f3a16", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2e624e7f-4d71-5e73-9375-725614d45442", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977243Z", "creation_date": "2026-03-23T11:45:29.977245Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977250Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d", "comment": "Malicious CopperStealer Rootkit (aka windbg.sys) [https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2e677db8-0185-54be-a208-ae0924a05730", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147466Z", "creation_date": "2026-03-23T11:45:31.147468Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147473Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "39387167827471754b84cb209e9bd06b268173b53d64f8106a2fdf8ae872df42", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2e712d09-5b84-5a6a-9432-bf2cf89a0927", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807539Z", "creation_date": "2026-03-23T11:45:31.807541Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807547Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a688ece8c13c9250de44f982cbcbe8ed7460aa4173cfd51a1f8ce0490ead33f7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2e8096a7-8140-5188-b445-4c000ad2a6f0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478015Z", "creation_date": "2026-03-23T11:45:30.478019Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478028Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "72876e44135f9b49932b547129e32acf9ce3df98a3f9c5c31355160f6d06ca3c", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2e8d0e7b-d6b8-5ff2-b194-0f79157c2275", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150513Z", "creation_date": "2026-03-23T11:45:31.150515Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150520Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ca151932a897c90240b0d5ed97b3e5f655b7383091b3d66bd54123ce3f7520bc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2ea6abff-85b6-51b6-a3ea-e727903b045c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146854Z", "creation_date": "2026-03-23T11:45:32.146856Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146862Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "174c8d771d31d70fc95448e961a395f5ceb7658f0cc381a718fb3b854cde4efe", "comment": "Vulnerable Kernel Driver (aka BioNTdrv.sys) [https://www.loldrivers.io/drivers/e6378671-986d-42a1-8e7a-717117c83751/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2ea92f52-ebc0-5178-a2ed-d2f401544dd7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832461Z", "creation_date": "2026-03-23T11:45:30.832463Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832469Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f5376806f970b67dc5e8c5a74600cfa69c26d668141b353a636c9d8cd919f0f3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2ebb61ad-e782-5512-8a5a-a2e03b8db716", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613598Z", "creation_date": "2026-03-23T11:45:29.613599Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613605Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a0728184caead84f2e88777d833765f2d8af6a20aad77b426e07e76ef91f5c3f", "comment": "Vulnerable Kernel Driver (aka AsrSetupDrv103.sys) [https://www.loldrivers.io/drivers/19003e00-d42d-4cbe-91f3-756451bdd7da/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2ec5b4a5-2582-5d0d-8fb2-fee352e0c364", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621229Z", "creation_date": "2026-03-23T11:45:29.621231Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621236Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9c4db6ee983fd4fa74f8212031ade343a1b9abdb258d05bef1aabd7ab49fbc16", "comment": "Logitech CoreTemp vulnerable driver (aka LgCoreTemp.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2ed76bf2-8029-5fc5-a53d-1cb252fa25e9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481229Z", "creation_date": "2026-03-23T11:45:31.481233Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481243Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6d2310cdc96a3411ee73044a5cc9a5c3672f61f5c496d04d76f6723646cf237f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2edac3ac-7c75-5a70-aadd-bb0783b328ea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150907Z", "creation_date": "2026-03-23T11:45:31.150908Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150914Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "17aa5ffb7f675645d0813a1caf6acdcbc4d6bf453a627c7535d01eb93cdd0ecc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2ee9f0e7-4dc5-58b5-a040-a23f5b60e768", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145639Z", "creation_date": "2026-03-23T11:45:32.145641Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145647Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "92f9341304bfb77158d29397d1b9695dee0d001ab5f119a8b49f49fa15e0cd98", "comment": "Vulnerable Kernel Driver (aka psmounterex.sys) [https://www.loldrivers.io/drivers/0f64bf7a-2ef2-45ea-af7d-4e7c87d98777/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2efdd326-d568-5627-a05b-b369780b52c9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463127Z", "creation_date": "2026-03-23T11:45:30.463130Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463139Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d7aa8abdda8a68b8418e86bef50c19ef2f34bc66e7b139e43c2a99ab48c933be", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2efe7a04-6110-5ee0-841b-cd2a20808162", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617931Z", "creation_date": "2026-03-23T11:45:29.617933Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617938Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e9ec6b3e83055ae90f3664a083c46885c506d33de5e2a49f5f1189e89fa9f0a", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2f0414de-38a4-526f-8074-2b55193e2324", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140492Z", "creation_date": "2026-03-23T11:45:31.140494Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140500Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "455f3eb28887f0b6d55c66f8607ee771f6103a39d8cb3af3dd1cc5f4e1266293", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2f0bcb26-7b00-5f8c-a586-4ac4afc478b8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984888Z", "creation_date": "2026-03-23T11:45:29.984890Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984896Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3326e2d32bbabd69feb6024809afc56c7e39241ebe70a53728c77e80995422a5", "comment": "Dangerous Physmem Kernel Driver (aka BS_Def64.Sys) [https://www.loldrivers.io/drivers/4a80da66-f8f1-4af9-ba56-696cfe6c1e10/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2f17ce4f-1338-5ae9-bd08-63d200e0e42e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604609Z", "creation_date": "2026-03-23T11:45:29.604610Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604616Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376", "comment": "Malicious Kernel Driver (aka daxin_blank3.sys) [https://www.loldrivers.io/drivers/9748d5c8-62dd-474b-a336-0aadb49e5ff9/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2f2372d9-1dcd-5869-823b-448810e78f02", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155823Z", "creation_date": "2026-03-23T11:45:31.155825Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155830Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e9f1c346fc6680ca2826dd85307c200ff199a83fa1f03b28cd14792007e39534", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2f2c126e-7fd7-5b05-af91-2ca69a1f26ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622263Z", "creation_date": "2026-03-23T11:45:29.622265Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622270Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "545190e8b2a910e153b12559a9875154a1b40d6424cb4a6299a84b2dc99df700", "comment": "BioStar Racing GT EVO vulnerable driver (aka BS_RCIO64.sys) [CVE-2021-44852] [https://nephosec.com/biostar-exploit/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2f2d992b-5616-51ac-a879-7e1b61b03880", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149618Z", "creation_date": "2026-03-23T11:45:31.149621Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149629Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4af5d4cb95c32b9f8041a448c3766b658f4d6918f259fa75f1d0c92c711e9528", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2f2fa31b-9e29-51ba-985f-c83f5a170f16", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971042Z", "creation_date": "2026-03-23T11:45:29.971045Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971054Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0867af893422b7191e77907de58faf787d4763cc7e9a2a3a91c72f1995a9c3f3", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2f371a08-0c0e-54be-9a47-c17c6dea0da5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818136Z", "creation_date": "2026-03-23T11:45:30.818138Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818144Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b1e4455499c6a90ba9a861120a015a6b6f17e64479462b869ad0f05edf6552de", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2f4a6408-4fdd-5225-8de4-b1928710e84c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832730Z", "creation_date": "2026-03-23T11:45:30.832732Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832737Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0191860d2680f25783f5a383bdb4d31727e4d25761ccc506655c4f4f30b69228", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2f4cb198-2d97-5bde-95a3-ca20486cca49", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144072Z", "creation_date": "2026-03-23T11:45:31.144074Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144080Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "05cce97384d67bdd1f52138ba5a3755ccae99652d7b6c464c38feacc6729d5d3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2f605f93-1e4d-5d13-befe-38f0a03f7da2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605735Z", "creation_date": "2026-03-23T11:45:29.605737Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605742Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "033c98b9b05a33b5c5c4e2f358c38f5f6447d9dc2f9d622fdb9295d85d2a29bc", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2f635675-3c68-57b5-a363-13e94cb7c611", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981437Z", "creation_date": "2026-03-23T11:45:29.981439Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981444Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a19fc837ca342d2db43ee8ad7290df48a1b8b85996c58a19ca3530101862a804", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2f774cb2-0bcf-5172-a670-8a7fa389d269", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622385Z", "creation_date": "2026-03-23T11:45:29.622387Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622392Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e4c154a0073bbad3c9f8ab7218e9b3be252ae705c20c568861dae4088f17ffcc", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2f80f313-a112-51df-a7fc-cbd00c58d3b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460294Z", "creation_date": "2026-03-23T11:45:30.460297Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460306Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fded693528f7e6ac1af253e0bd2726607308fdaa904f1e7242ed44e1c0b29ae8", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2f8d7fc4-2d78-51e9-b20e-4cc04fda9400", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481061Z", "creation_date": "2026-03-23T11:45:30.481063Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481069Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5fbfd7c4ea3db1197ad38d5a945acf6f2f42cb350380cf8ae276bc80b0dedb77", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2f9cab69-94fc-590f-a769-2fa2b3fd0953", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.815822Z", "creation_date": "2026-03-23T11:45:30.815824Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.815830Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "32bd0edb9daa60175b1dc054f30e28e8dbfa293a32e6c86bfd06bc046eaa2f9e", "comment": "Vulnerable Kernel Driver (aka FPCIE2COM.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2fad6ddb-0739-5bfe-9d90-5ed6df9e856e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141468Z", "creation_date": "2026-03-23T11:45:31.141470Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141476Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea623a572ab20d2639ae1555a20d1183b37fe8c19e909a165f63dd6e8f8c6f4a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2fbf3e25-f6ff-5949-8d31-c95f5108e3f7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611291Z", "creation_date": "2026-03-23T11:45:29.611292Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611298Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e650b4e4b5a95cba582b9749cac4c40e67e854d78eb8494f46f6d11f1fcea4d6", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2fc5fc97-2820-59f8-8b0d-8b60e4dad93a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471771Z", "creation_date": "2026-03-23T11:45:30.471774Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471783Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3813c1aab1760acb963bcc10d6ea3fddc2976b9e291710756408de392bc9e5d5", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2fcc7554-d6ac-5348-94da-2583db967876", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143077Z", "creation_date": "2026-03-23T11:45:32.143079Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143085Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d23f28169d6e5c09a89e5136a4ff899a3b6f886535bb0254a27dd00a2753c412", "comment": "Vulnerable Kernel Driver (aka msr.sys) [https://www.loldrivers.io/drivers/ee6fa2de-d388-416c-862d-24385c152fad/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2fd08b47-80b8-5cc5-9ea5-130a473f6820", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495671Z", "creation_date": "2026-03-23T11:45:31.495673Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495678Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0bb9c31c9e971e9fd6b4854ce94078ac55b4cf8e4527ecdb5bfba6ef46d6d778", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2fd5c952-1d62-5b9e-b55c-fe0053e50f00", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457366Z", "creation_date": "2026-03-23T11:45:30.457369Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457377Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e6a53d4cf39b4b0b5069359d0a3b32eb1aa7b56c427487c9f838eb279c6a90d1", "comment": "Malicious Kernel Driver (aka 4748696211bd56c2d93c21cab91e82a5.sys) [https://www.loldrivers.io/drivers/2d6c1da6-17e2-4385-ad93-1430f83bde83/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2fd79d01-4916-5629-b28b-49a2c4a1713c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607053Z", "creation_date": "2026-03-23T11:45:29.607056Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607061Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0c2d8e8487de5e7749f9899f6fefa6e7d40b394479449b5027a895392af23349", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2fdb3b05-ffc2-5e28-9b3f-f91d49368be4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813588Z", "creation_date": "2026-03-23T11:45:31.813591Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813600Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d0d8392881ea337e127c4575edfc882335d810eb6d4cf1055bcb8d0289d38730", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2fe65d51-0211-519d-88d3-a81689ff9dc5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985796Z", "creation_date": "2026-03-23T11:45:29.985798Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985803Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0399dd3c395f84cbd6ac2e3e8ca8ee344a0f699b17db0624f936ae4bb4b7953", "comment": "Malicious Kernel Driver (aka wfshbr64.sys) [CVE-2022-42046] [https://github.com/kkent030315/CVE-2022-42046] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2fed0ec5-e714-5669-8d94-0c28cf1d73b8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148399Z", "creation_date": "2026-03-23T11:45:31.148401Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148406Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9a557758ab1235961be0cdd324f746bc38b75cf9b8873b4c30d24152c03fe8b3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "2ff1235f-4f14-5960-87fb-e478c0a98bea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144340Z", "creation_date": "2026-03-23T11:45:31.144342Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144347Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2eb7904ecdbc96a8ea155c0f4d562753e65fc181f14179857cc32c9d9cc5f457", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3001c0f1-06e7-54b5-96e2-2b99bd9896d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145827Z", "creation_date": "2026-03-23T11:45:32.145828Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145834Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "79d48dd02d288dc1788ab3615e6de3c01e575abd19b27434c0f3f557db43592c", "comment": "Malicious Kernel Driver (aka driver_82d928c5.sys) [https://www.loldrivers.io/drivers/af8ef3c0-8686-4112-992b-86587a4a9060/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3007066e-9172-540a-b8ff-2615432c6898", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144744Z", "creation_date": "2026-03-23T11:45:32.144766Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144771Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "49373ea79d942e82873583a6515950acc04c578e75720593383ffb7ba4a28f3b", "comment": "Malicious Kernel Driver (aka windivert.sys) [https://www.loldrivers.io/drivers/45a31a17-f78d-48ec-beba-74f6bfc5f96e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "30158fc4-f82c-5215-8746-b8dad77ac989", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479668Z", "creation_date": "2026-03-23T11:45:30.479670Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479675Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5e238d351e16d4909ca394f1db0326a60d33c9ac7b4d78aefcf17a6d9cc72be9", "comment": "Vulnerable Kernel Driver (aka amifldrv64.sys) [https://www.loldrivers.io/drivers/a5eb98bf-2133-46e8-848f-a299ea0ddefa/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "301735eb-d0c2-55d8-8338-4c5f51f2503e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155293Z", "creation_date": "2026-03-23T11:45:31.155295Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155300Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5fc8d085871c6d4f6b44f6eabafc3e7d6f49024166e65defdd0248d1de5babd0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "302170b5-68d9-54b3-bcd4-46cddbe26835", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485833Z", "creation_date": "2026-03-23T11:45:31.485837Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485847Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "04fb17d680c7c1ce2f971c2e17cd4108d2c995f9cc702d8da1fdd439bbd103ef", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "302c29f4-1254-5b9b-bc20-af456cfe1570", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489255Z", "creation_date": "2026-03-23T11:45:31.489258Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489266Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3697d13461d0bb6f23edc37d010869bdf421a51593fb264f2d1a38b8fdda755c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "30366c09-965f-531f-8451-cf776f6f7d5c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472914Z", "creation_date": "2026-03-23T11:45:30.472918Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472927Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0e8595217f4457757bed0e3cdea25ea70429732b173bba999f02dc85c7e06d02", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3036e53f-17c1-55e2-8dd4-d2dc8cd599ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156055Z", "creation_date": "2026-03-23T11:45:31.156057Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156063Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ef856b5e6a5846b8aa505272515b762a5b18b8a0496fff4950488d17eefc2095", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3037de6b-ee20-5ca0-8ea3-5b7c48a5114d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487719Z", "creation_date": "2026-03-23T11:45:31.487721Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487726Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3fc98ecceccf767b976b7c4cd9f0aa5e0783e62da8ec5d52411d0b61686e4f24", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "306d5e2a-6d5b-5e05-94fe-bfdf81ba9fb9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480922Z", "creation_date": "2026-03-23T11:45:30.480924Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480930Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7277130afa0b1506998d7bc58567b0d83f52a27175f4c7c4a7186347095fceed", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3072fd59-8f3d-575f-b644-b0a8b3a13f05", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500576Z", "creation_date": "2026-03-23T11:45:31.500579Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500587Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5ffdcfce9414bc1d674d0fd7ae9a531cfc9217791d0d4ea929cddfbce02cc67f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "308162f9-c939-5503-8df3-6f059da42411", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460850Z", "creation_date": "2026-03-23T11:45:30.460854Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460862Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5da0ffe33987f8d5fb9c151f0eff29b99f42233b27efcad596add27bdc5c88ff", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "30904c18-8ec2-596f-966b-074a79b80ea1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609129Z", "creation_date": "2026-03-23T11:45:29.609131Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609137Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f4ff679066269392f6b7c3ba6257fc60dd609e4f9c491b00e1a16e4c405b0b9b", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3096dde6-140a-57af-a8a0-ca44f8585351", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153578Z", "creation_date": "2026-03-23T11:45:31.153580Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153585Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "92bde364ca9d62fea430b42e32d3a4eeb9b2001bc30f85f0c152831ae47b1680", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "30a1a9c7-62d4-51f2-8fad-bb8466ce86bb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150160Z", "creation_date": "2026-03-23T11:45:31.150161Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150167Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8ad4b24c22e3c23290097ba585975c79c16727e4dddbcbcbc02082949cab8310", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "30a4f139-183a-5a19-923c-787ee9310cf2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830071Z", "creation_date": "2026-03-23T11:45:31.830073Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830078Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b7b307837c1af0367f6f341ab69a915bf1f67d0107d489993511b6ff7e0c2751", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "30bc2798-87d5-5380-a2d7-03a7d89548b9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834897Z", "creation_date": "2026-03-23T11:45:30.834901Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834911Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "43cfa6624c071648e67c03527b2dce064ff116b944431348380c8d74d3c39e3b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "30bf226d-06e6-5644-955c-56d0ddddeced", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613614Z", "creation_date": "2026-03-23T11:45:29.613616Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613621Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "399effe75d32bdab6fa0a6bffe02dbf0a59219d940b654837c3be1c0bd02e9aa", "comment": "Vulnerable Kernel Driver (aka AsrSetupDrv103.sys) [https://www.loldrivers.io/drivers/19003e00-d42d-4cbe-91f3-756451bdd7da/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "30cf82db-4ec2-57e1-82bc-854032dd265e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474559Z", "creation_date": "2026-03-23T11:45:30.474563Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474571Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a3a6146a681d25f7d8be88fb36e37821a351205d9be2843c4e7cc0b366984b39", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "30d7ce0d-8147-5428-9573-3cdbc2504450", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471539Z", "creation_date": "2026-03-23T11:45:30.471543Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471552Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b3e645e8817696fa5d5e2255f9328f3b6a2e5fce91737f4d654ff155dc9851e5", "comment": "Vulnerable Kernel Driver (aka AsIO.sys) [https://www.loldrivers.io/drivers/bd7e78db-6fd0-4694-ac38-dbf5480b60b9/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "30deaf50-6a53-572a-8e2c-7e049a1c5699", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824664Z", "creation_date": "2026-03-23T11:45:31.824666Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824672Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1b3cdee0d8bd1ba2745d26c5a00583677735063c693d6947b5d7657fe9289053", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "30e4b39f-ccf0-5a86-8cb5-c80b2abe598c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973234Z", "creation_date": "2026-03-23T11:45:29.973236Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973242Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a3cf1a6edd205e04653b4338c077072ee753cde0a692490ecaf7afde27df5f0b", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "30f015e7-438e-5949-9ad6-3d04f8d543d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476147Z", "creation_date": "2026-03-23T11:45:31.476151Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476160Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bfda0d884c65b21699dd9f345fc78c1d684875d131fb46053526d491265eb357", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "30f50bc5-f7b4-5014-9038-68b9b452823f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974662Z", "creation_date": "2026-03-23T11:45:29.974664Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974669Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3912c38f4c09b107ee9bbb60f43a8193d6bacf00bfb3b59b7b146d76594797cf", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "30ff047a-93d7-5a4b-b652-2daeff5203cb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488344Z", "creation_date": "2026-03-23T11:45:31.488346Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488351Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "58a17f674f721cbf28ea2d27db218dc6926628fe663d1e7fc7fe9677b69fa395", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "310c3d06-dbe1-5bab-ae9f-47e0ed2cb117", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.623027Z", "creation_date": "2026-03-23T11:45:29.623029Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.623035Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fb5e65aec819c5a91ef0ce0fec0a957826b5e1ac9bac559a1b4201a3870462a3", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3119f1e5-d603-5f84-bc80-1f2a095e9d56", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826251Z", "creation_date": "2026-03-23T11:45:31.826253Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826261Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a57065508fcf79d4ada8dfff3960832fc5965e51733ae0aa3a5d280a4064e5c7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3137042b-1339-507c-a5f2-44a47bff5d4d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159312Z", "creation_date": "2026-03-23T11:45:31.159314Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159319Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f0c8d9088dc4f244448c52981a1787abacd05479b82a96ef3afd6e2df19794c1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "313e93bd-80ac-5af6-a9d7-8ba5cff3779e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154076Z", "creation_date": "2026-03-23T11:45:31.154078Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154083Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2f1f37add1d46ef96b65eb6b7c391634daf8bc05ab6974309e78134c2b2bdf81", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3142ec86-2409-58ab-94c5-cd01beaa2697", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808377Z", "creation_date": "2026-03-23T11:45:31.808379Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808385Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ec3523b3ae9f1e93bd536d2bfd6bf7009f88cd72180fea24cc02e17b01b9c889", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "315327da-365c-587f-b3a4-362d429c6631", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492320Z", "creation_date": "2026-03-23T11:45:31.492322Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492328Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8b4292dd2aa44e4a733a24aa3b49af054eede5f94bb18ed70a8ed7e8f3f7d003", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3159d35b-ef9c-53ad-b182-3d96a63b694e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827910Z", "creation_date": "2026-03-23T11:45:30.827912Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827917Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f0a96853916610e6482d05a736227f1714f3788446c30fc01580ebee8aa293aa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "31640dd0-8643-5767-823f-94c52d42d706", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621072Z", "creation_date": "2026-03-23T11:45:29.621074Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621079Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7196187fb1ef8d108b380d37b2af8efdeb3ca1f6eefd37b5dc114c609147216d", "comment": "CoreTemp Physmem dangerous drivers (aka ALSYSIO64.sys) [https://www.loldrivers.io/drivers/4d365dd0-34c3-492e-a2bd-c16266796ae5/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3169d357-3608-594c-9e8d-6fa626e7e748", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457069Z", "creation_date": "2026-03-23T11:45:30.457073Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457082Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "773dc9256c4eada182a5b41179a522740ba994eff30f868641bc91574705b8e3", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "316aa217-e371-521b-83bf-3e888dd7467f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460984Z", "creation_date": "2026-03-23T11:45:30.460987Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460996Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "67cd6166d791bdf74453e19c015b2cb1e85e41892c04580034b65f9f03fe2e79", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "316ab67d-e06a-5444-b59a-d4cf7b2f5aee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807928Z", "creation_date": "2026-03-23T11:45:31.807931Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807940Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "22d850d29f5bae36a8981a5fe6464e6fe8759802efaaedd5be5de1ac9d5f521b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "316fbe63-f1e5-5dd6-a2cf-6c55dadbb027", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152704Z", "creation_date": "2026-03-23T11:45:31.152706Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152711Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fd85a6de046a79940fe6db2228c0089f11cbd5b8f7b5dab5ea3c54de69f7f905", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "317cd096-8e96-54f7-b938-fb3ffefd8bc7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824587Z", "creation_date": "2026-03-23T11:45:31.824591Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824600Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3434fb840a9987286f03a9653588f1798075a53fcacac6137bf58f98e632cbdb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "31899b63-d7c0-5aa9-93da-44795b287fe0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.603976Z", "creation_date": "2026-03-23T11:45:29.603978Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.603984Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7509d30b279e30893db7851a2912a5ffb29ec7e839220890d76de8e3a57b4872", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "318a83c6-7093-5733-bb90-7a379ee4ea21", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983386Z", "creation_date": "2026-03-23T11:45:29.983388Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983394Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0b8887921e4a22e24fd058ba5ac40061b4bb569ac7207b9548168af9d6995e7c", "comment": "Vulnerable Kernel Driver (aka kbdcap64.sys) [https://www.loldrivers.io/drivers/6a7d882b-3d9d-4334-be5f-2e29c6bf9ff8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "318b0fcc-b94d-50af-884d-bea43d54cfe1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822761Z", "creation_date": "2026-03-23T11:45:31.822764Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822772Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2060c11cd0b210644db7af370f95fcb5c532e99a1cd09a6d56b8aaed2c040f15", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "318cabe3-d870-5a43-b6cc-7f832a23f946", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488639Z", "creation_date": "2026-03-23T11:45:31.488641Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488646Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8855f2a86d7447e75797314eace8ea6bddb960811e33fbb858ce3a1b39c48344", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "318f10e7-75a4-5f88-8734-a7942a045f26", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967640Z", "creation_date": "2026-03-23T11:45:29.967642Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967648Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "57038bb35abfae1e216782043c710be6972f49beae5b0f7b2b524f152d27eda5", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3193a6bc-e636-569f-bb47-d0f1f53630aa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822424Z", "creation_date": "2026-03-23T11:45:30.822426Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822431Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "448048bafeb3796bfce954dd78e1b90f5849d9b3459c51750f210da8bafb8753", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "31a48dbf-0638-585c-beca-635c01631411", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148416Z", "creation_date": "2026-03-23T11:45:31.148418Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148424Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "415af8037165a928dbb77fb07599666acb3f5c816219971f76051a7e40ca6b30", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "31a5d259-fe11-56c5-962b-5a6080060d61", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980481Z", "creation_date": "2026-03-23T11:45:29.980483Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980489Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3e28142ad02a1ac63ab86f97834321f30bb28e19d5c997bb0a13807ddb414c0e", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "31b9cd4e-81db-5d44-92bd-7d33f1f2e368", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976782Z", "creation_date": "2026-03-23T11:45:29.976784Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976790Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f571b5302e900254cb1a46a7e1dd9190bceecb24c73ef3e36b4ff59517ad1e37", "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "31be4bd4-eabc-5407-99ea-c1917330299c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152390Z", "creation_date": "2026-03-23T11:45:31.152394Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152403Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eef20092ec73e387548789a739a64c8027dc18231ede2acf50891abff12242a3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "31c13a82-b385-5970-b146-9bc0c3aaf02a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822962Z", "creation_date": "2026-03-23T11:45:30.822964Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822969Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ff73944c43821b3d13abc37245c2c8d4eadc876dead02da45ea82fdf1525973", "comment": "Vulnerable Kernel Driver (aka SBIOSIO64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "31c23698-4a97-5fd5-9c49-a8dea25e2ca1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830018Z", "creation_date": "2026-03-23T11:45:30.830020Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830026Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d7b8383b044fac9f63b370428af5ed68d086beb5e719a4b49edf649e1851a5e8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "31ce8641-4ae3-5589-b66b-44e87923e33d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621212Z", "creation_date": "2026-03-23T11:45:29.621214Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621219Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e0cb07a0624ddfacaa882af49e3783ae02c9fbd0ab232541a05a95b4a8abd8ef", "comment": "Logitech CoreTemp vulnerable driver (aka LgCoreTemp.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "31cec43b-640a-5965-b3de-a3e27dd53d21", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828095Z", "creation_date": "2026-03-23T11:45:31.828097Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828102Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8dfb0deecf8d39956ecff812406e2e079802f2a2c6e853003c6d1aeed3ffbd7d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "31d07748-4b95-5d89-b86b-33b7c128d5bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824385Z", "creation_date": "2026-03-23T11:45:30.824388Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824393Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3629ce7fbcc691e1cf0c5e5f0bf5d964820107d7b860959b57afd17a712434c9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "31d9e85e-6d25-50f1-a101-a21a59a090f4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615308Z", "creation_date": "2026-03-23T11:45:29.615309Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615315Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "051dad67cc6cb6b6e20b1230b04c09cc360d106a6b7000e0991381356ace0811", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "31da887a-c015-5827-bc0d-6d5cbbfd2ba7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473388Z", "creation_date": "2026-03-23T11:45:31.473391Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473400Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "409704c58dbfcf148730855ed3e5a179da5a9d7b5669391716d5b18996bed5d1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "31de84e3-4855-5380-b1f1-6e5c2a3cba17", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828565Z", "creation_date": "2026-03-23T11:45:31.828567Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828572Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "548780fd48a92c2fbf94f5d8447c4d76899f9ac0fe3b2fd4b8b427635447e085", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "31f38467-db65-58a0-a9de-080846169752", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.815858Z", "creation_date": "2026-03-23T11:45:30.815860Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.815866Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3f36bc2327a34da59c59e3fd4cb920a26f2db1c6a5f8eb17b00dc6e2a4ff71dc", "comment": "Vulnerable Kernel Driver (aka FPCIE2COM.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "31faf7e5-7661-549b-9526-f2d749b2a9b3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825059Z", "creation_date": "2026-03-23T11:45:31.825061Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825066Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c579a5786dae365555d6ef083910fbfc463926e52e9f3ae7ae028d615e6cffb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "320ae59a-5b1b-57a4-a353-cd7b7fa189ea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498739Z", "creation_date": "2026-03-23T11:45:31.498743Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498749Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "da969d5b6b470c7758b28c8db88d17d56d837807119b45d66c088d5698189cf4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "320b5d99-f3e9-5e6a-869f-fe887bd7421f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811098Z", "creation_date": "2026-03-23T11:45:31.811100Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811106Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "37744ed595d1f5c5f28e0745adabc10a93e47ca64b906dacc4be078424916eb5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "320f5bb5-1c8d-5771-907a-3e2aab4315fc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978440Z", "creation_date": "2026-03-23T11:45:29.978442Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978448Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b9661dd0dcf81d2ee8e5eb3b728c907b4eb861806971051ad772f7fe4d09eb6a", "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/a7628504-9e35-4e42-91f7-0c0a512549f4/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3224ad16-d7c4-5b12-84a3-3fe1c2d242b8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814313Z", "creation_date": "2026-03-23T11:45:31.814316Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814324Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f42044d54e2820ce7866db56f42a45635da0fc54c9456db9cbbafb308c7f9bf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "323d34f1-9f87-55ab-9322-36298805c89b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610917Z", "creation_date": "2026-03-23T11:45:29.610919Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610924Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "472e29b63e1d9d44269a99962b186113586fbd3603eac3a23c520c7ef73a69cf", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3244793e-fe60-5259-9a8a-09e9eef04ad7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977150Z", "creation_date": "2026-03-23T11:45:29.977153Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977161Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1fac3fab8ea2137a7e81a26de121187bf72e7d16ffa3e9aec3886e2376d3c718", "comment": "ASUS vulnerable VGA Kernel Mode Driver (aka EIO.sys) [https://www.loldrivers.io/drivers/f654ad84-c61d-477c-a0b2-d153b927dfcc/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3257f270-aab5-5d7f-8cd8-11748d7451ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154390Z", "creation_date": "2026-03-23T11:45:31.154393Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154402Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c1c5f026c62d6cd2eaf8c51a73a095ed616f3e6f81ff9c638b64605ffa06aa0a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "32583d84-bde4-55de-9e6d-63bad41c5f3e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969041Z", "creation_date": "2026-03-23T11:45:29.969043Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969048Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e2e79f1e696f27fa70d72f97e448081b1fa14d59cbb89bb4a40428534dd5c6f6", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "325848d9-4087-510c-8c6f-11a0015460e3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141433Z", "creation_date": "2026-03-23T11:45:31.141435Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141441Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8f169884ed8138fc954cf5d098c146e1bffa89c6c2914cf3c4802ed8ccb4cc5b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "325ab51a-1c0d-55ff-a8d7-fc45d2b5ed82", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830313Z", "creation_date": "2026-03-23T11:45:30.830315Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830321Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4d110cbdb130768e322689a1c9c54b74663d9358305ccb3760a4d27bf9b145c0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "325f410f-54ff-584d-bd11-b75a7a1a1bc5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984087Z", "creation_date": "2026-03-23T11:45:29.984089Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984095Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9994990c02c37472625cc7b2255044feef9b73c08ca3a70c06861b7d26b27a25", "comment": "Vulnerable Kernel Driver (aka VProEventMonitor.sys) [https://www.loldrivers.io/drivers/4db827b1-325b-444d-9f23-171285a4d12f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3265ec66-f8aa-5c11-a7f8-c0f7ade87bed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143510Z", "creation_date": "2026-03-23T11:45:31.143512Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143518Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "648244095ea6a94a53be19cbf539948ef067ff38a99234f309b2f71a4ebcb630", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "326a8b14-0d61-5507-bd91-1aa17b33a16c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490280Z", "creation_date": "2026-03-23T11:45:31.490282Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490287Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f37a48bf6871ed1e58b818be7506e2e05bb403a7dbcde6c785d31bad3c6cf056", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "326edf91-0bab-5535-aaf2-b96e85ca99d2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154484Z", "creation_date": "2026-03-23T11:45:31.154486Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154491Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d29f601fec6ac5fc0ff035113f4b8b1863f34ff60e3f0f2731c515fc0efa36eb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "326fe57f-d0c0-5dba-9725-1e342912ffc9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824762Z", "creation_date": "2026-03-23T11:45:31.824764Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824769Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d175169e3fcebe92b1c6b560d0c160ffe0fa6a826f3a5042b9b2ab140f6aed8b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "32700161-2505-5d17-9f7c-8026563eecf1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146761Z", "creation_date": "2026-03-23T11:45:31.146762Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146768Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "23be2c7ad6e444bbf9c273380d3646ac62a684d37370f378c56ce9ddb9646d2e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "32707a4f-1fc3-542f-b935-dc1aff83457d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825341Z", "creation_date": "2026-03-23T11:45:30.825345Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825352Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "689f565e874b6d0232bbd946bb3c1e373d634512d1afa0b9ab90d45e507c85ac", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "32825e6b-b9b8-5864-9882-c5f98a7f0eeb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978977Z", "creation_date": "2026-03-23T11:45:29.978979Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978984Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fafa1bb36f0ac34b762a10e9f327dcab2152a6d0b16a19697362d49a31e7f566", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "32841b1a-8ca9-5e06-904b-24623b286c5c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143260Z", "creation_date": "2026-03-23T11:45:32.143262Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143268Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d1f4949f76d8ac9f2fa844d16b1b45fb1375d149d46e414e4a4c9424dc66c91f", "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "328764df-64e0-5924-8b11-b07fd84a4bb3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610724Z", "creation_date": "2026-03-23T11:45:29.610726Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610731Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aebcbfca180e372a048b682a4859fd520c98b5b63f6e3a627c626cb35adc0399", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3292cc44-dd4e-507b-85e9-70227d33d597", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820752Z", "creation_date": "2026-03-23T11:45:31.820755Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820763Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c5426d89f7b6c799c34932e4a611e68ecf84f1d227fc64214e53bd94afc55d3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "32aab162-ba62-57e7-90ef-1e32670fd2c9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833092Z", "creation_date": "2026-03-23T11:45:30.833096Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833105Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b133de6cbfcf087f25760800516ffe28457b18925ebc7d162f7c6926fcce4741", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "32ab2447-809c-5718-b0cc-7cf94ea5d9ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614787Z", "creation_date": "2026-03-23T11:45:29.614789Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614795Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9c10e2ec4f9ef591415f9a784b93dc9c9cdafa7c69602c0dc860c5b62222e449", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "32bcc1dc-18ea-590e-bbed-e62f28d8ae3b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812046Z", "creation_date": "2026-03-23T11:45:31.812048Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812053Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "461cd721500c149bc6a1051437b75a7848c2cc63f010cb1d9fd6b432afd11b04", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "32c03f51-a1d8-504a-8713-4313c30de4fe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824376Z", "creation_date": "2026-03-23T11:45:31.824379Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824388Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c5104b29da9711075558e2197a4e82923dd5dba8ac9e5973954c1ee7215cd427", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "32cac183-96fa-513e-97ca-ba91113eda50", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820599Z", "creation_date": "2026-03-23T11:45:30.820601Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820607Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ed3448152bcacf20d7c33e9194c89d5304dee3fba16034dd0cc03a3374e63c91", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "32d12ab1-5290-5245-bc54-bc2d9e96abba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820135Z", "creation_date": "2026-03-23T11:45:31.820139Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820147Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8f3674ad46425d496e246cb95a21df0198bdfa3c259aef6f35dd8f215fb295cb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "32e366ce-b86d-585d-91f8-16f0206994dc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474245Z", "creation_date": "2026-03-23T11:45:30.474248Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474257Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2815c91fe5053899593cec83218b8dff85cfd85cea667dbbf2153cbc3cde000f", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "32e51e7c-1eb2-51fd-87aa-02d3c07ae84c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809210Z", "creation_date": "2026-03-23T11:45:31.809213Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809221Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "43e851763ab1b28fa121216cd7ed92525ed9ca3f69abba8b753ba8500620d2e5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "32e602b9-0718-55d7-8f9d-87c2452e0aae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153506Z", "creation_date": "2026-03-23T11:45:31.153508Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153514Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1ca5aa8d7bb7d926961f1af8ae909780e8e10e16c2f8f118e0c78c635b28cfc0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "32e8da6d-fe91-5cfa-b846-b18c0a08a01d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809881Z", "creation_date": "2026-03-23T11:45:31.809884Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809890Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c435b76b1753a9d778a5030e910519c1617d77fad5811a76936e15b21d69c3f5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3312c1a0-08aa-57e0-aefb-5a8f62302e79", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151072Z", "creation_date": "2026-03-23T11:45:31.151075Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151080Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "15d2b157135b3ee811ab5bde67947a29d67e0ebc1646c3dd760bbc2d4996e634", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "331711ad-039d-52e3-8c32-03c38328ef7b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612283Z", "creation_date": "2026-03-23T11:45:29.612285Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612290Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "01e024cb14b34b6d525c642a710bfa14497ea20fd287c39ba404b10a8b143ece", "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3321e356-33e7-5603-8353-2c12bf63cd68", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498973Z", "creation_date": "2026-03-23T11:45:31.498976Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498985Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f4084cce01f18932a01239b1501b6707ca60642293e54b50c59b050f28da6d3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "332dccb2-8bc4-52b8-b97c-659a72ab043e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983175Z", "creation_date": "2026-03-23T11:45:29.983177Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983183Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5874e47ef681bc7cd86df905751fd0f692eed11b6a30fa68df592806316f9bc2", "comment": "Vulnerable Kernel Driver (aka b3.sys) [https://www.loldrivers.io/drivers/adfb015a-f453-4b9e-a247-50f146209eb0/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "33352fc7-d4ee-5b3e-888e-c30627d5cf97", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834726Z", "creation_date": "2026-03-23T11:45:30.834729Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834739Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cde0a6cb79c9e87e1d5cd0b2da48df3e8ac007dde81589417ae52017db7f4dd9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3347bb5e-80e3-5f9d-b324-d4ad07cfe595", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458579Z", "creation_date": "2026-03-23T11:45:30.458582Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458591Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5271f526b19331c7f8526a5e10b9aedc0ddd325958aa0e908ceaee40692f7ae2", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "336253a1-b634-57f8-b922-8e35db358ad4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457902Z", "creation_date": "2026-03-23T11:45:30.457905Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457913Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "14938f68957ede6e2b742a550042119a8fbc9f14427fb89fa53fff12d243561c", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "33690441-6e78-5490-a5c7-347f31939b4d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979846Z", "creation_date": "2026-03-23T11:45:29.979848Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979854Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "258359a7fa3d975620c9810dab3a6493972876a024135feaf3ac8482179b2e79", "comment": "Vulnerable Kernel Driver (aka t8.sys) [https://www.loldrivers.io/drivers/8c2fa9d1-b2b1-4ba1-bad9-60c44c2c20eb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "336f8934-75d6-53fa-b230-6f9b52fb4f2a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823034Z", "creation_date": "2026-03-23T11:45:30.823036Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823041Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8001d7161d662a6f4afb4d17823144e042fd24696d8904380d48065209f28258", "comment": "Vulnerable Kernel Driver (aka FH-EtherCAT_DIO.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "33774780-26d8-53e8-90f8-8cb91c900ea0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969435Z", "creation_date": "2026-03-23T11:45:29.969437Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969443Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e5183eda50e2c42d2ed10c015be87dff774da180928c076e99888b0d6a931df5", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "337bb937-0924-5eee-816d-162f323cd0ea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816116Z", "creation_date": "2026-03-23T11:45:31.816119Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816127Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a70f2302cea9903b3f90ff5c89c3b91efea09798bd8205650d3023def1a88ae6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "337cc11d-bd5b-55e8-9860-70e4837a051e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457994Z", "creation_date": "2026-03-23T11:45:30.457997Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458005Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "53810ca98e07a567bb082628d95d796f14c218762cbbaa79704740284dccda4b", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3386d7de-4380-535b-838c-95ef6f7b7108", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972107Z", "creation_date": "2026-03-23T11:45:29.972109Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972115Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d74755311d127d0eb7454e56babc2db8dbaa814bc4ba8e2a7754d3e0224778e1", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "33883177-ec4f-5290-a383-97f2258e163f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146062Z", "creation_date": "2026-03-23T11:45:32.146065Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146070Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "85ca0dcdc52709de21281b8fc131a58440a045cf640643a6d96e5fee13a78b81", "comment": "Malicious Kernel Driver (aka driver_85ca0dcd.sys) [https://www.loldrivers.io/drivers/e1c29414-5b5b-44f4-84cc-e6f55d9a23c6/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "338a3b19-4b6c-5fc8-b199-42d1ecf700d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500257Z", "creation_date": "2026-03-23T11:45:31.500260Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500268Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "74c0a7245bdaeb9bd4caef2f87e85097ea5964e7a62e5f5fc7a929f4afbcd5cd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "338b240c-6a87-5ea9-841f-f0da16e5e201", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471831Z", "creation_date": "2026-03-23T11:45:30.471834Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471843Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "68671b735716ffc168addc052c5dc3d635e63e71c1e78815e7874286c3fcc248", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "338c1220-6dcc-5557-9404-25f5baf30d72", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604925Z", "creation_date": "2026-03-23T11:45:29.604927Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604933Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "69a4d67126186f9b29d0c12004c8b4a9e22afe30942448ade6696eb8b164b88f", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "338e0b0b-9d4a-5aa6-ba5d-8f2c846d183c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495115Z", "creation_date": "2026-03-23T11:45:31.495117Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495122Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f59d8602f4dfd43ce7126c574ca4dc1cf39867a60971c0d993a99044f15b48e1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "33937be4-b007-5c88-8e8b-a893c8cdde3f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477578Z", "creation_date": "2026-03-23T11:45:30.477581Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477591Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "af16c36480d806adca881e4073dcd41acb20c35ed0b1a8f9bd4331de655036e1", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "339acd0f-f241-56e0-ac14-1572c93107c5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613295Z", "creation_date": "2026-03-23T11:45:29.613297Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613302Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2003b478b9fd1b3d76ec5bf4172c2e8915babbbee7ad1783794acbf8d4c2519d", "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "339c419c-886b-5690-b21f-955e21beff6d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833975Z", "creation_date": "2026-03-23T11:45:30.833978Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833987Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1b89fa8308d44e0629bc159ab14b284145fdfe7e13d6fb2a81b6a378f31c32c1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "33a21463-c58a-5581-9793-1abf3dfee325", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456480Z", "creation_date": "2026-03-23T11:45:30.456483Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456492Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d8096325bfe81b093dd522095b6153d9c4850ba2eaa790e12e7056ef160d0432", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "33a6a51f-10aa-5a22-a7a3-0e4d1e87c523", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493221Z", "creation_date": "2026-03-23T11:45:31.493223Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493229Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d4c3d7c95e4ed14c7adff853e1d36d976a5e05de0f9e37a409dd79224d921392", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "33a781ac-ff55-57b2-870d-0bd12217a5dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452981Z", "creation_date": "2026-03-23T11:45:30.452984Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452994Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e279e425d906ba77784fb5b2738913f5065a567d03abe4fd5571695d418c1c0f", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "33bead4f-7b8d-51a5-b91f-ac49d23b4974", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611532Z", "creation_date": "2026-03-23T11:45:29.611534Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611539Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eb6807c46e2d4808f07cca9242e7a59393fdab6ccf4da1aec124ef2a34398d43", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "33bf2257-58a5-5d53-9cb4-533d8d23da48", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616060Z", "creation_date": "2026-03-23T11:45:29.616062Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616067Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "677c0b1add3990fad51f492553d3533115c50a242a919437ccb145943011d2bf", "comment": "Phoenix Tech. vulnerable BIOS update tool (aka PhlashNT.sys and WinFlash64.sys) [https://www.loldrivers.io/drivers/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "33bf7a9a-62b7-5784-b666-cad9b8135193", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469718Z", "creation_date": "2026-03-23T11:45:30.469721Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469730Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "81e0111c823599201e7e7054557017c0ba148dcd6d9fe74052efdee051c42e13", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "33c1b769-9fff-50f1-be6b-e085db693f68", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454007Z", "creation_date": "2026-03-23T11:45:30.454010Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454019Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d9d4e7d594b4b318ac78baa79f119e4c85493eec1c1f939ae10b1633346c6e9e", "comment": "Malicious Kernel Driver (aka a236e7d654cd932b7d11cb604629a2d0.sys) [https://www.loldrivers.io/drivers/2866bd72-a4b1-4764-a838-9ed0790c2631/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "33c853f9-12db-5799-bca7-3572f684e31e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471996Z", "creation_date": "2026-03-23T11:45:30.471999Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472008Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff987c30ce822d99f3b4b4e23c61b88955f52406a95e6331570a2a13cbebc498", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "33d96035-f971-5ec9-ad33-943750c5fc82", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.496986Z", "creation_date": "2026-03-23T11:45:31.496991Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497466Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c74ab60c598a4ec997f1d8fc232c56fa72394fc5ad3a69e0706aca3511806fc6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "33f29a55-a6f1-58c7-ad01-015e4f902143", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476144Z", "creation_date": "2026-03-23T11:45:30.476147Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476157Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8138b219a2b1be2b0be61e5338be470c18ad6975f11119aee3a771d4584ed750", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "33f3329e-7d12-5fe1-bc68-b53e0b6d3f6c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146884Z", "creation_date": "2026-03-23T11:45:32.146886Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146892Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "efde1a896c24055780aefb6f1c5fee097b8dffbe79b7e2c26320f6fe7ea3b74d", "comment": "Vulnerable Kernel Driver (aka BioNTdrv.sys) [https://www.loldrivers.io/drivers/e6378671-986d-42a1-8e7a-717117c83751/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "33f618e5-03da-56ee-b89c-c272c20d9cf6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458316Z", "creation_date": "2026-03-23T11:45:30.458319Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458328Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "41eeeb0472c7e9c3a7146a2133341cd74dd3f8b5064c9dee2c70e5daa060954f", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "34111be1-eea2-5913-bce6-8123f4af66cd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474825Z", "creation_date": "2026-03-23T11:45:30.474829Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474837Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4a525f5350be5a82cf4fb3546a914841642cda5deed7f9baa13d2912eed476fb", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "341e0c37-04bd-5a98-99aa-4aaa4f3a67e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820998Z", "creation_date": "2026-03-23T11:45:31.821001Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821009Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aacc20d05f9d0874955364702d8c7e016f151a019f9d289390da7b99f7155c4f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "34294bee-e670-5b6e-9011-818c7ff09599", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815401Z", "creation_date": "2026-03-23T11:45:31.815403Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815408Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ced779242a0df8d09e007d83bd896b2b672d157fcc8ebd6e27892c5ce3fb59a5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "34336957-e66d-5822-b387-3f02c0544a5f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975570Z", "creation_date": "2026-03-23T11:45:29.975572Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975577Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "95d50c69cdbf10c9c9d61e64fe864ac91e6f6caa637d128eb20e1d3510e776d3", "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "343a332a-a065-580d-9e42-99cdb28c7899", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815290Z", "creation_date": "2026-03-23T11:45:31.815292Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815298Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd7f5c0dbc7d8ee58c0b8aa7893b05163f4c242d5e9a117ea03489867d6c5703", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3442e17b-100a-52ef-8cc6-567c57d504d5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473940Z", "creation_date": "2026-03-23T11:45:30.473950Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473959Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "affeec7af311ecb53182dc6b28c61057eeb6dbd895f92354310f775cf843cfec", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "346785cb-00bb-5a00-a600-47bce4b3ebb3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611270Z", "creation_date": "2026-03-23T11:45:29.611272Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611277Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6b9090296a10225be115810e29e8ada4f70e4d4a8f88b385ccd9a8a6d2eb6778", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3467c84c-d8cb-57f6-b677-6b356750e5d5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822618Z", "creation_date": "2026-03-23T11:45:30.822620Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822625Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9acd27f9b7b3075e5d5273ae285de33844aafe0477782ecd4ae573ed282f863a", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3471aae7-852f-52b6-86b3-c9640a2d12c2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813451Z", "creation_date": "2026-03-23T11:45:31.813454Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813462Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "90546d46b8a417fc97d51360aa02c4de0f7973d0967ed89dadaa41230bafacd3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "349897d8-44ae-5c5d-bd69-4b5bf73a1e0c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813685Z", "creation_date": "2026-03-23T11:45:31.813687Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813692Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "376fce1d2509f18bc1506a516cec3a9c8ea86a08691173eb3c312e369d6e3514", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "349b51f6-d603-5a7d-bf2a-eb2dbd2dc021", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144545Z", "creation_date": "2026-03-23T11:45:31.144547Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144553Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "99b8638935d89b108073ba90d3cb422aefe1017bf28b1a875728467c78d83adf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "34a0c0c4-5b33-5bb5-a7f1-6f939eabefcc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476461Z", "creation_date": "2026-03-23T11:45:30.476464Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476474Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f27febff1be9e89e48a9128e2121c7754d15f8a5b2e88c50102cecee5fe60229", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "34a98a07-2883-51ec-8f1f-d4032355e4fd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836559Z", "creation_date": "2026-03-23T11:45:30.836561Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836566Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ccfdd6b8d4fe83b4327e398a9af9ed7df6cb7d79fe5d11423b9e87da1ec51a78", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "34b4451f-5ab1-5c5c-9379-a5ec8fd4d20d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145659Z", "creation_date": "2026-03-23T11:45:31.145661Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145667Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "82fb3ea70d7762e6f2ce380700d0164c869d233c660e3370057c5b87cd3f70f5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "34b967db-db08-5b6f-a277-558c0e50353f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809392Z", "creation_date": "2026-03-23T11:45:31.809395Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809403Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f4c030e7fd706e8b12521c9d2b0547d8d0c529088e45328a79936b922e88124e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "34bc5b45-b452-5baf-9307-575551abd473", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971678Z", "creation_date": "2026-03-23T11:45:29.971680Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971685Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e5316670c0bddc0519ef96b2db89285a8620a260429a97f9d2cf5b58b0287d91", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "34bfeb17-d72c-5324-8967-04d517c28f57", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148642Z", "creation_date": "2026-03-23T11:45:31.148644Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148650Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c2c1357cea813ee63c6411dc97ebb5ea5ac0bb53062ca220054c85524d1b544a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "34c87cc4-4c84-5999-b4c3-bb1fb4c2743d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979134Z", "creation_date": "2026-03-23T11:45:29.979136Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979141Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6", "comment": "Vulnerable Kernel Driver (aka elrawdsk.sys) [https://www.loldrivers.io/drivers/205721b7-b83b-414a-b4b5-8bacb4a37777/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "34c9f06f-57d8-573b-886d-20a488f24e90", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811345Z", "creation_date": "2026-03-23T11:45:31.811347Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811353Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2774201da4346d65def60845228d89663de37c880b5d55c9abbb3ba9662a275c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "34cf753c-1329-5288-b9ce-0d6ee398b8a0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143355Z", "creation_date": "2026-03-23T11:45:32.143357Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143362Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c857c2db1fe1b9c979079add29d5b970147d6a264b4095e6579b5d0669c2b572", "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "34d3bc6b-1583-518b-a70e-827d9ea3a7a6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475411Z", "creation_date": "2026-03-23T11:45:31.475415Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475425Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7781540202aa5ef6992f9293a77b08043d350ca58e00f5bfa30afdb4b8e57f54", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "34d68b0d-738b-5323-be19-fda81fd8ca1e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977997Z", "creation_date": "2026-03-23T11:45:29.977999Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978004Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "350e15bf24dcfdc052db117718329a03e930c17ac8c835e51d001e74bad784e4", "comment": "Vulnerable Kernel Driver (aka LgDCatcher.sys) [https://www.loldrivers.io/drivers/a8e999ee-746f-4788-9102-c1d3d2914f56/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "34e48092-15b4-5cbe-b10a-ceb9ceaf5430", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458164Z", "creation_date": "2026-03-23T11:45:30.458167Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458176Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0b6a410c22cc36f478ff874d4a23d2e4b4e37c6e55f2a095fc4c3ef32bcb763", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "34f1b644-0803-53df-9e78-153cd3a3cf5f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835206Z", "creation_date": "2026-03-23T11:45:30.835209Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835219Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a2bdf9e7e737444d1acec610729ddbb485f98931ccb86adaac65ec35473a46a3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "351150ff-0ac1-51cf-9928-e773063cdf98", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145107Z", "creation_date": "2026-03-23T11:45:31.145110Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145115Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "34c0711fb9ddeaea1bab040fb4b3bbf3f50039164aaad0de0764b52201866058", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3521921b-1b96-5f11-ab1d-517ac1710d12", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982503Z", "creation_date": "2026-03-23T11:45:29.982505Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982510Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1d60819f0ab8547dcd4eb18d39a0c317ec826332afa19c0a6af94bc681a21f14", "comment": "Vulnerable Kernel Driver (aka 1.sys) [https://www.loldrivers.io/drivers/a5792a63-ba77-44ac-bd4a-134b24b01033/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "352befa1-64ae-580a-a206-33dd8ccecbe0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498146Z", "creation_date": "2026-03-23T11:45:31.498150Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498158Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f0b37c4ce0ba64bc3ae08f1443ef73ca7e47a3f3db145b7d243618c1f988c7be", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "353ac27c-b6b1-5840-ace4-0791124e9cc2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817488Z", "creation_date": "2026-03-23T11:45:30.817490Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817496Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5449e4dd1b75a7d52922c30baeca0ca8e32fe2210d1e72af2a2f314a5c2268fb", "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "354c0ecc-23ff-506e-96f4-ef5df72cc8ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476050Z", "creation_date": "2026-03-23T11:45:30.476054Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476062Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0cfb7ea2cc515a7fe913ab3619cbfcf1ca96d8cf72dc350905634a5782907a49", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3555aa25-191a-5814-96b2-7500165dbaf0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967729Z", "creation_date": "2026-03-23T11:45:29.967731Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967736Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3876e1d070de070ca46423d1a444da1906a7e8136288dce76c840010017a47c9", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "35622616-b5d4-5c21-8be9-d88dd5e4e457", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820213Z", "creation_date": "2026-03-23T11:45:30.820215Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820221Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ddcca718ae393cf1d3fd57ddd648484b97c95086bc1c77c6e00d8cd86d60bd8", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "356b6fe3-c6a2-5ef9-ae0c-9457fde490c4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492979Z", "creation_date": "2026-03-23T11:45:31.492982Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492990Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5a0c2b8f072d58a7ed0d774a6d9329f55819a478e97aa568bfc955e5ff4c698c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "356cea6f-9112-5831-afb6-38afc6be9321", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474235Z", "creation_date": "2026-03-23T11:45:31.474239Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474247Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9d48724981a38495983357464c6c16a1d911b7d7ba9730f33b6042bb71720c08", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "35712b77-88a5-5480-89c2-192b8335477b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607650Z", "creation_date": "2026-03-23T11:45:29.607652Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607657Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6cb6e23ba516570bbd158c32f7c7c99f19b24ca4437340ecb39253662afe4293", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "35877ffd-4776-55b0-9e27-8c803d45725e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975006Z", "creation_date": "2026-03-23T11:45:29.975008Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975013Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "60571dbcaec96d9517e0d116d066e70ae747aa4396d7857b2eea0f4c1a5a70b4", "comment": "Vulnerable Kernel Driver (aka amsdk.sys) [https://www.loldrivers.io/drivers/a285591e-ad3c-46a3-a648-c58589ff5efc/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "35989926-1906-5f9d-8df1-3145313f48c1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823233Z", "creation_date": "2026-03-23T11:45:31.823236Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823245Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fc46e5b6b1ffaca1d534f3c2d7e1f98200c8e75980ab5abd58b7142604c99696", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3598f70a-ec31-5253-85a8-775e57057167", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818186Z", "creation_date": "2026-03-23T11:45:31.818189Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818198Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "57c8bbdc617fea993266198ade9cd04582df9d8f896abaa011d3d97574046b37", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "359bbb5b-f054-5600-8f9a-5e9a5263623e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466807Z", "creation_date": "2026-03-23T11:45:30.466810Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466819Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "af7ca247bf229950fb48674b21712761ac650d33f13a4dca44f61c59f4c9ac46", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "35adc59f-0107-5b67-a529-f5534c6bcaed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144110Z", "creation_date": "2026-03-23T11:45:32.144112Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144118Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2c1b65c2988b337182f1ba57b404793454e30a7fd328d34bc2e79857dc437a4a", "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "35b136ac-5d61-5fdb-9255-8efde8d6d7c8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463184Z", "creation_date": "2026-03-23T11:45:30.463187Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463195Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6d68d8a71a11458ddf0cbb73c0f145bee46ef29ce03ad7ece6bd6aa9d31db9b7", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "35b3c963-847d-5ac0-aca8-ee66eca51cc5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834159Z", "creation_date": "2026-03-23T11:45:30.834162Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834171Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "882d4bde14f068076056098a7e097b026a548a6cd6b2604daec846f5483f9866", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "35b65d15-d767-56aa-b9d6-b17d5e8a7167", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813061Z", "creation_date": "2026-03-23T11:45:31.813064Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813073Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "552607a739ca2833a5800fe65f04febc3fc9531f8cd17dc562da487572e7672a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "35bd1c57-2937-5b33-9c5c-65b4688edc05", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462086Z", "creation_date": "2026-03-23T11:45:30.462089Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462098Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "36f45a42ebf2de6962db92aaf8845d7f9fd6895bedc31422adcf31c59a79602d", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "35bf3bf1-a259-5d3d-a4bb-8cb9536f0809", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814689Z", "creation_date": "2026-03-23T11:45:31.814692Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814701Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "895aecc148a913118019ace4656a71d5bf3c0c87bb7ffb96de409dba5bdd828e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "35cad061-e719-5edf-823c-41001ed39cd8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810663Z", "creation_date": "2026-03-23T11:45:31.810665Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810671Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "323661cc6e15eb48e21c097c53253409f3637a1fff408a116bd828c4611ce3bc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "35d445ee-725a-534f-a66b-cd82b07165de", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146638Z", "creation_date": "2026-03-23T11:45:32.146640Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146646Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "37d07c39dc10ae82a9d292c74f7c5f93c7bc133a0225402dafc21f664af079b6", "comment": "Resigned Vulnerable TfSysMon driver used by ValleyRAT (aka amdi2c.sys and tProtect.dll) [https://x.com/anylink20240604/status/1905691075639222521] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "35d62fe6-8104-586e-8f42-a2139d4f5052", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819795Z", "creation_date": "2026-03-23T11:45:30.819797Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819802Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "837d3b67d3e66ef1674c9f1a47046e1617ed13f73ee08441d95a6de3d73ee9f2", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "35df2083-1e20-58af-b412-8eaf849d1e72", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811580Z", "creation_date": "2026-03-23T11:45:31.811583Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811591Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d9bce72c8f8817de3028795f07f1cea6dfc0143860acce73f21ceffcb82fc899", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "35e0a09d-4293-5a71-bc4d-71275842b875", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824726Z", "creation_date": "2026-03-23T11:45:31.824728Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824733Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7565d7f7b811d658278b511b5334a6cd21f551b31d180cc6efddd515ed793c74", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "35f8a780-3ead-59f1-aa74-933a96e9648f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825744Z", "creation_date": "2026-03-23T11:45:30.825746Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825752Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "505fbf8c447320aaedfedb02b64423cc2140b328aa6da4ed23ecf2067ffb1d81", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "35fd48f6-e87c-5aa1-9f95-cf0da201d14c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.471991Z", "creation_date": "2026-03-23T11:45:31.471994Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472004Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "50d7f7fa334582eaee68abf8215a1283c0a3e405e601e56ea41aa9553570907d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "360a960b-449a-59f2-b7b6-163f6c75de6a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836011Z", "creation_date": "2026-03-23T11:45:30.836013Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836019Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8bda2d609bd41e2c29f81803be5cc8a15984a041ac77a34fabd9a806897c24cd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "360be8d1-017d-5cd4-98e2-f34155bebab0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145075Z", "creation_date": "2026-03-23T11:45:32.145077Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145083Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ef9d653aaa2e629b211cd367a32c381eba694ba85682b987497c287d7dbc0082", "comment": "Malicious Kernel Driver (aka driver_ef9d653a.sys) [https://www.loldrivers.io/drivers/14e51012-5429-483e-9423-49778c3bd1c2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3612f005-dc2b-5239-ad5e-60a5b0124529", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480788Z", "creation_date": "2026-03-23T11:45:30.480790Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480795Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "38e6d7c2787b6289629c72b1ec87655392267044b4e4b830c0232243657ee8f9", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3613dbd0-1369-59a2-b68e-9e4b8246a9a5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611640Z", "creation_date": "2026-03-23T11:45:29.611642Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611647Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "536333c1fb9066a12c7791b740fcf637f6f86b45bd57baf0f27ae33c3b6c6cf1", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "36151a0f-f877-504d-9ba1-ecac6dc52113", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827664Z", "creation_date": "2026-03-23T11:45:30.827666Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827672Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2faedf73d553ccbb206f8e2cd9e758c0bc0362cfb8d75e551f044407e02f0d75", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3615e11d-43ea-5afe-8a3f-45a9116bf814", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145712Z", "creation_date": "2026-03-23T11:45:31.145714Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145719Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ec98851bf8f19d301efb0d8b4b9724f038a784e20421a62696bbdeae5e20f050", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3622bac0-a61e-5c2a-a714-3c29a77750a9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474780Z", "creation_date": "2026-03-23T11:45:31.474784Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474795Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "09dcdc4c882022babb23af2ac0bbac4535fcc9fc8e60bf415f00ebba2adaf86d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "362a5491-56e1-54c0-a8f9-435f25ad9131", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979977Z", "creation_date": "2026-03-23T11:45:29.979979Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979985Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7d8937c18d6e11a0952e53970a0934cf0e65515637ac24d6ca52ccf4b93d385f", "comment": "Vulnerable Kernel Driver (aka nt3.sys) [https://www.loldrivers.io/drivers/d5118882-6cdd-4b06-8bf4-e9818f16137e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "36342af2-1c23-5d26-a3af-35895359705f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477170Z", "creation_date": "2026-03-23T11:45:30.477174Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477183Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7227377a47204f8e2ff167eee54b4b3545c0a19e3727f0ec59974e1a904f4a96", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3636d07a-fc26-5677-b6c2-7b5f7d12aab2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146953Z", "creation_date": "2026-03-23T11:45:31.146955Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146960Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e020d0095c96b3bb246b7884b0c7700b62a8cadb18b8de44cc0e4852e74596e6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "363af1b8-6f28-5465-87dd-44e21b7620bb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978668Z", "creation_date": "2026-03-23T11:45:29.978670Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978676Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f1718a005232d1261894b798a60c73d971416359b70d0e545d7e7a40ed742b71", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "363c9e90-3af4-5b54-8ab6-4b8e3345f218", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480431Z", "creation_date": "2026-03-23T11:45:30.480433Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480439Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e6023b8fd2ce4ad2f3005a53aa160772e43fe58da8e467bd05ab71f3335fb822", "comment": "Vulnerable Kernel Driver (aka GtcKmdfBs.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3644289b-1d3d-5609-8a48-0e20053b969c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826938Z", "creation_date": "2026-03-23T11:45:30.826940Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826952Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8e8d345e25502abe87f46b78f31b290c202855e50fb302e765298b21e6868ec0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "36567fad-de9b-53b6-8d2c-9bc0b9883e68", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148001Z", "creation_date": "2026-03-23T11:45:31.148003Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148008Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ca5f440d25b04318b450b527a9696a040d9801b88461ac4aa7e133799add08b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3657d8e3-a9f8-5207-bdba-da0d32887f6c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495547Z", "creation_date": "2026-03-23T11:45:31.495549Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495554Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2eb35a8ca7ce6149d6dc9380bb0883ea4a5822abc94c1e64780590534c4a4a5f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "365a1850-b4c9-534c-9fc6-c003e10b3af9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157612Z", "creation_date": "2026-03-23T11:45:31.157615Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157623Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "693ff41be1f95fb1f55f4ab3ef610a4b0bdfda21b992e00fcbd76aab8634ad69", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "365c12b6-39eb-5073-bddb-6762cc990a54", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467648Z", "creation_date": "2026-03-23T11:45:30.467651Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467660Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e0133cfe93c0e1cdd995b8668134bafcd35976c8f02400112668d91da7eb34a", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3667d275-1bbb-506a-bce3-d09de825f969", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810326Z", "creation_date": "2026-03-23T11:45:31.810328Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810334Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "62507931949cdad75b4d46bc2a7997514a5f618a532958d2a1c31d5a6870ecf8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "366873f6-6c59-5ac2-bd5e-ce5a125421d9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479367Z", "creation_date": "2026-03-23T11:45:31.479371Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479381Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9e90c7a07cf0d7bbc73d334a912ea1d4e079658daf2a2a081776004764d25fa7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "36720b49-0576-5349-a2ed-5e9df03a30fb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824438Z", "creation_date": "2026-03-23T11:45:30.824440Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824446Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e47d93196bb62140f65d8e860b93fd4a9b280f8a559487b5349356d1d301c69b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "36759e85-e912-53a4-bbc1-abcd17371ea6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971420Z", "creation_date": "2026-03-23T11:45:29.971423Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971432Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d7e091e0d478c34232e8479b950c5513077b3a69309885cee4c61063e5f74ac0", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "367dc82b-21c3-5e4e-b24f-1bbd038cbf06", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605862Z", "creation_date": "2026-03-23T11:45:29.605864Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605881Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "075de997497262a9d105afeadaaefc6348b25ce0e0126505c24aa9396c251e85", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "367e7cb4-9b85-5854-9490-a53bb940b951", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481888Z", "creation_date": "2026-03-23T11:45:31.481893Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481903Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5ad5fba2066e4e72925c362a751f591965523b1727d79c6c21505cf82d049bd7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "368c2920-b654-547d-8baa-157aee9e2d51", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972457Z", "creation_date": "2026-03-23T11:45:29.972459Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972464Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4182c6f1f9c5601b66dfe8f64d4e4e943eeeb3345ad4b5e23e3ad3b328af7eed", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3690d9fc-699a-52ae-b0e6-054ac8af5088", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154709Z", "creation_date": "2026-03-23T11:45:31.154710Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154716Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2eb541f77203a949a851d733f019ed837e7a88c38c5aacbc227ff6f7c5d1af62", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "369359be-bb2c-5213-bffe-707b1d620087", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616312Z", "creation_date": "2026-03-23T11:45:29.616314Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616319Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "26ba58c9af9c8a7aebf222f491f786daa0626be44d34f170fea3623d92828e63", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3693ae0e-5b61-5e3f-8f86-c8411d84a5c4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144484Z", "creation_date": "2026-03-23T11:45:32.144486Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144492Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fdd16a94a71644a8bb52c4e0fbfecb93f04cfe37bd91bac599cf9abfb822762f", "comment": "Malicious Kernel Driver (aka driver_fdd16a94.sys) [https://www.loldrivers.io/drivers/da066835-f37c-40bf-86bb-d77ad45c7f30/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3695d524-a409-597d-b98d-54ab7a6eb1a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490315Z", "creation_date": "2026-03-23T11:45:31.490317Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490322Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c21a832cbda14a54ff07a81d486ce37eacd3a8d041000d22fb0d929cdbef591", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "369b4b39-a9be-5a72-899a-9c634525f92b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142167Z", "creation_date": "2026-03-23T11:45:31.142169Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142174Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b418e2604e8cf433ce9e6b80096ca64aa009393938ecec46d9482b18b2a5929a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "36a92de4-93aa-5ffa-9123-fb41f95f089c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478859Z", "creation_date": "2026-03-23T11:45:30.478863Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478931Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bea8c6728d57d4b075f372ac82b8134ac8044fe13f533696a58e8864fa3efee3", "comment": "Vulnerable Kernel Driver (aka rtcoremini64.sys) [https://www.loldrivers.io/drivers/b9e01a11-6395-4837-a202-0c777d717a43/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "36bc48e4-23ad-5c24-8c02-b6c60a233afa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150941Z", "creation_date": "2026-03-23T11:45:31.150943Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150956Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18ea074a9f9f960b7a4c2229212d2ada88fd617078fd976bd6c2d7c93b21c9db", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "36ce12e8-ea2a-5534-9a87-b0a775767179", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825012Z", "creation_date": "2026-03-23T11:45:30.825016Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825024Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1a2f4063726beaee7aab5e288c678dc70aea2696306a324e0d554b6e0a145b4a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "36e52b6e-8328-53cc-b48e-123c75c609dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967604Z", "creation_date": "2026-03-23T11:45:29.967606Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967611Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f08ebddc11aefcb46082c239f8d97ceea247d846e22c4bcdd72af75c1cbc6b0b", "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "36e92001-e69c-55c7-8498-bc38ba0c992c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142148Z", "creation_date": "2026-03-23T11:45:31.142150Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142156Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab21cd0feaa710e46f1cc7dfa86a803fb001a561dd68b139018eeab2b3b25cd8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3707775e-d6c7-5e75-bfdb-184d07a0a6a9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455080Z", "creation_date": "2026-03-23T11:45:30.455083Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455092Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "24ea733bae1b8722841fb4c6cead93c4c4f0b1248ca9a21601b1ce6b95b06864", "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "370a6b67-0ac3-57c4-b8d0-d9bb57689976", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619541Z", "creation_date": "2026-03-23T11:45:29.619543Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619548Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c628cda1ef43defc00af45b79949675a8422490d32b080b3a8bb9434242bdbf2", "comment": "Insyde Software dangerous update tool (aka segwindrvx64.sys) [https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Program%3AWin32%2FVulnInsydeDriver.A&threatid=258247] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "370e9dad-4f64-529e-a071-9ea11e76cb1a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480174Z", "creation_date": "2026-03-23T11:45:31.480178Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480187Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "292428ea5c9a276d51c59c63ab0b58b78736bc0e53fc195a959f51b110742dc9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "372b3d73-4409-5794-9830-79459e843f7b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620999Z", "creation_date": "2026-03-23T11:45:29.621001Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621006Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4db1e0fdc9e6cefeb1d588668ea6161a977c372d841e7b87098cf90aa679abfb", "comment": "Phoenix Technologies Vulnerable Physmem drivers (aka Agent64.sys) [https://www.loldrivers.io/drivers/5943b267-64f3-40d4-8669-354f23dec122/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37325ccb-1daf-5bae-b21f-310e53290bb2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970071Z", "creation_date": "2026-03-23T11:45:29.970073Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970079Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "62b89fab85cf77b1e6730d2b55b4f9458f368f89d3ca5672d450e3c3365d8c37", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "373884c0-fbb0-5934-b3ef-d21ef26bb689", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983281Z", "creation_date": "2026-03-23T11:45:29.983283Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983289Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7bacb353363cc29f7f3815a9d01e85cd86202d92378d1ab1b11df1ab2f42f40a", "comment": "Vulnerable Kernel Driver (aka DBUtilDrv2.sys) [https://www.loldrivers.io/drivers/bb808089-5857-4df2-8998-753a7106cb44/,https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "373c04ad-70d8-57b0-b541-133c3d0c3a32", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820540Z", "creation_date": "2026-03-23T11:45:31.820544Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820552Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ba82355d4238272001bbe1173a2217224093e048f37b0c1838e81cd0128a737c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "374559fe-5988-5068-8252-1cc2bb02339a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622054Z", "creation_date": "2026-03-23T11:45:29.622055Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622061Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ed302ea33feb557b879f64c4b7835947a9ca31054573e1487f5bbc38449753ff", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37782778-bde9-50c7-923e-0bf8b182f9c5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975769Z", "creation_date": "2026-03-23T11:45:29.975771Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975776Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "14ec631a3cff171b86e2b0279c8db436cb88ec705c517bd82a964e2c59def92f", "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "377af8d5-feee-558c-b96c-6e2e78deaa06", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.142987Z", "creation_date": "2026-03-23T11:45:32.142989Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.142995Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c1a4ca2cbac9fe5954763a20aeb82da9b10d028824f42fff071503dcbe15856", "comment": "Vulnerable TfSysMon driver from ThreatFire System Monitor (2013) (aka TfSysMon.sys) [https://github.com/BlackSnufkin/BYOVD/tree/main/TfSysMon-Killer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "378073ef-2346-5362-9e5f-469caad4f94c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143545Z", "creation_date": "2026-03-23T11:45:31.143547Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143552Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1d79182bf82e2e3d3834945811c0f159c16b5ee941803f43fc7c069096a1ddd1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37843c92-6c79-5b95-9cac-ee9f5a39fd07", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828543Z", "creation_date": "2026-03-23T11:45:30.828545Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828550Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0c1a422e8f958e2e2152b8aed18a1723349edcc16b5deed97a320786f98b4e51", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "378a9817-754b-5195-877d-a0da37e11a58", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469689Z", "creation_date": "2026-03-23T11:45:30.469692Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469701Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3b8401cefd1dbfb754fe00b513784110836c8e938a40cc606903f46503af2943", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37abd82b-fa28-580d-8afc-bb20c4956730", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.158841Z", "creation_date": "2026-03-23T11:45:31.158843Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.158848Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3a5a443fde50b91739c8d9a321bd9f0bc4cb556f5d64b4cb9fc8a58104a06f5d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37ad9827-2a58-5dc3-8b60-46d53cdaa54a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458108Z", "creation_date": "2026-03-23T11:45:30.458111Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458120Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1675eedd4c7f2ec47002d623bb4ec689ca9683020e0fdb0729a9047c8fb953dd", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37b51c6c-3a30-573a-8492-7af9c9514140", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816397Z", "creation_date": "2026-03-23T11:45:30.816399Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816405Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1748436f8e9c251b2c0d1a33499a1aa1a06ae961e1c9911e8c172fe297ab1feb", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37b6a762-1299-5132-9788-5378fc577a2e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972142Z", "creation_date": "2026-03-23T11:45:29.972144Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972150Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f877296e8506e6a1acbdacdc5085b18c6842320a2775a329d286bac796f08d54", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37b8b19f-dc76-5f3e-bfb9-09e21b0c16cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472866Z", "creation_date": "2026-03-23T11:45:31.472869Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472903Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2a26b2ea38eb4e794341933fed73cea751c923808145168656c2b809c774b46b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37b92abb-91a0-55dd-8c5a-818169eaaa1a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152288Z", "creation_date": "2026-03-23T11:45:31.152291Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152299Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "787b3225d73c10a46d08c512793250493cb58fe1252e5f0a226b115a35549111", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37b9a0bc-57b3-587e-a5ef-93bdc9b94df1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141885Z", "creation_date": "2026-03-23T11:45:31.141887Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141892Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "64fcecd846a95c48062a2139f5731bd6c3e68a2ae1fa14e103094389e2ec3328", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37ba5fad-9181-5556-affa-5acf0ca82d8c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825924Z", "creation_date": "2026-03-23T11:45:31.825927Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825932Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c6d3bf485ac41a4b66529755df982da91a2ff1a23ffa15564474c8543980893a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37bd0067-0a80-56b6-921d-3ff13a52c4ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808101Z", "creation_date": "2026-03-23T11:45:31.808104Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808113Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4edd64593884be2a0b05f6153cbe85db1f202dd2ea0eef0500e334ee30e4f41c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37bd21c0-b91b-5269-88a7-5dc486cae73f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969593Z", "creation_date": "2026-03-23T11:45:29.969595Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969601Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "14ed216fbc7eece76ef906c7346779e06043c59edb7feb6f51809b2cb395853d", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37c2fbd8-f542-55b7-9676-697165a13aaa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479269Z", "creation_date": "2026-03-23T11:45:31.479273Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479282Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b895393c96cec1a7c89abe7eca0e9555da5be8e25c0a02e5e43caf37f42a9785", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37ce5d72-d52c-5096-b767-eea1aeb309d4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621634Z", "creation_date": "2026-03-23T11:45:29.621636Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621641Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fa875178ae2d7604d027510b0d0a7e2d9d675e10a4c9dda2d927ee891e0bcb91", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37d2fe47-d3ad-5fcb-954d-e11e6fdd009d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822845Z", "creation_date": "2026-03-23T11:45:31.822848Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822856Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9335a234e261df74b8d8e6027dadc918dad8499e6daee611e3ccfd052bb2a385", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37dacc43-4133-56c0-b430-4f33c7072d05", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617006Z", "creation_date": "2026-03-23T11:45:29.617008Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617013Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4f35cf1f2e0fb87a2728303091ee505a0bc546cf63dcd38178adf48477ec0f91", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37e5fbfd-ee5d-5a4e-8459-cf49957470c6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473506Z", "creation_date": "2026-03-23T11:45:31.473510Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473521Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "59aea123738499f75b7de47b34520d9f67c01f60c7bb30c1742ff9903a185a18", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37e70f98-a899-5322-b910-a32d8102b427", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.147187Z", "creation_date": "2026-03-23T11:45:32.147189Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.147194Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9f882afd44ed1e9ec1875dd5e1362bb2216815a84b3709b7bb72b1206c5e7b86", "comment": "Malicious Kernel Driver (aka AppvVStram_.sys) [https://securelist.com/honeymyte-kernel-mode-rootkit/118590/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37e79206-30fc-51d5-a2d5-3fe85c2fdcc0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471647Z", "creation_date": "2026-03-23T11:45:30.471650Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471667Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "52a90fd1546c068b92add52c29fbb8a87d472a57e609146bbcb34862f9dcec15", "comment": "Vulnerable Kernel Driver (aka AsIO.sys) [https://www.loldrivers.io/drivers/bd7e78db-6fd0-4694-ac38-dbf5480b60b9/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37f73358-118b-5767-8460-311211886a81", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487861Z", "creation_date": "2026-03-23T11:45:31.487863Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487881Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "947106cb13eb826fbec6ff72348076c7177139ac84509a6c01439c00b9b4fad0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "37ff47b4-96cc-55a5-b49c-e317a3d9b957", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980185Z", "creation_date": "2026-03-23T11:45:29.980187Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980193Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9e3430d5e0e93bc4a5dccc985053912065e65722bfc2eaf431bc1da91410434c", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "38064c8a-fb4f-5606-9d4a-6e5a147d1c60", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.815727Z", "creation_date": "2026-03-23T11:45:30.815729Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.815735Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a60d45d46e5a3dda02f41d20e5782135dd0da42c75eb9c39307bd67a7c9152ea", "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3825e49a-2fcd-5193-93c6-a74b5c19900b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828454Z", "creation_date": "2026-03-23T11:45:30.828456Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828462Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f5354eebadca43d11288fe9dd0721974605fb6cbb3f6ea6ec6448513dfc94024", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "382dd39d-fe1f-5e7f-b8b6-93f11c077cc0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825394Z", "creation_date": "2026-03-23T11:45:30.825398Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825406Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e8e9ae67f2ebe8986f434a22d4c175cf0ad77d8a580c26b5c04d6c183c2b8bbf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3834aaa8-32f2-5225-b81a-bf88d2b71206", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820478Z", "creation_date": "2026-03-23T11:45:30.820480Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820485Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fe275be26ecca4c69f1c8ec35145fcae8cd83a5cb20f7ca71ff998d91091bb7e", "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3835020e-8b74-552c-9074-f275d18879b3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977817Z", "creation_date": "2026-03-23T11:45:29.977819Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977824Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b7516dca419d087ef844c42e061a834908f34e7363577ab128094973896222c8", "comment": "Vulnerable Kernel Driver (aka b4.sys) [https://www.loldrivers.io/drivers/d1441172-cc15-4a96-b782-f440bfb681e1/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "38385f10-7079-5122-8ce2-ce44c4f1baa5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981332Z", "creation_date": "2026-03-23T11:45:29.981333Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981339Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c35f3a9da8e81e75642af20103240618b641d39724f9df438bf0f361122876b0", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3843fbd7-2154-5e62-b0fe-35b7fabf475f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612992Z", "creation_date": "2026-03-23T11:45:29.612994Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612999Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5e1e1489a1a01cfb466b527543d9d25112a83792bde443de9e34e4d3ada697e3", "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "38468b67-d59b-5ea3-82bd-501e04680e3e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611167Z", "creation_date": "2026-03-23T11:45:29.611169Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611174Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "98c86fcf018822289340d248f5e2896c41ad0f284febb741b945312ff40bdfa3", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "384abeb1-9e40-5b9b-8651-c0bf7db44e1a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824997Z", "creation_date": "2026-03-23T11:45:31.825000Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825009Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "563a30a08dcb636e9dd894dcfeaf36a6da3483a32275c00ec57c5c0f13916e3c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3852d8a4-abbd-5d04-a5de-bda628c4d8d7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827676Z", "creation_date": "2026-03-23T11:45:31.827678Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827684Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "59b52a009ceed6c2a9e9efc84117bfca18b0b1ed1168c28c6e6a7a1b05ba45a7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3855274c-d30b-5554-9a57-45e3cc281be5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140529Z", "creation_date": "2026-03-23T11:45:31.140531Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140536Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ce9f5e121384d24730c10fa0b6dfe58d9fc571b4e7b42e15482e210a387667cd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "385ae001-036a-530b-bab0-ad0d9e50e48b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482027Z", "creation_date": "2026-03-23T11:45:31.482031Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482041Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "586d362f8801c8b2283d65172a3d53e87c9723efcdee239c5deb6dc6d100f2fa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "386a35ca-3db3-5a0c-b2a4-593179209368", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622909Z", "creation_date": "2026-03-23T11:45:29.622911Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622916Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fb7cb120d51e217ee4cc50bee619603be5eb6091634df45acc5249aed283c9be", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "386f6fd4-b740-5d17-ba4a-1f2946f6c96d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456723Z", "creation_date": "2026-03-23T11:45:30.456726Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456735Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a38c26c0754f6c9389ea43dd0149db26b95742c1b37468fcf0d8ced66da1dcb9", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3871fcc7-79c8-59aa-9448-76cde3b803c3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147769Z", "creation_date": "2026-03-23T11:45:31.147771Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147777Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a32e9b71040976b39ddd57f36b48732ee1b9c5ad09dc0e4e905e6f59b904a301", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "38764b2a-7cf1-5e17-b347-e51b416cc591", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466637Z", "creation_date": "2026-03-23T11:45:30.466640Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466648Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "82b7fa34ad07dbf9afa63b2f6ed37973a1b4fe35dee90b3cf5c788c15c9f08f7", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3894b46c-f3ee-5bf8-8f9e-ddd9031417a4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462314Z", "creation_date": "2026-03-23T11:45:30.462317Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462326Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19bfc95d74b27684e420b985589105d51772100383e7c3790a34ae311fee03d8", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "38ac0c0e-9c68-5337-a655-47b970ff8ce3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821078Z", "creation_date": "2026-03-23T11:45:30.821081Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821090Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "61e7f9a91ef25529d85b22c39e830078b96f40b94d00756595dded9d1a8f6629", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "38ae8fad-1131-56c7-b5be-610fd02d2e81", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816630Z", "creation_date": "2026-03-23T11:45:31.816634Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816662Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "599713f2250bd98187c4f1a8accf00552349ad4036a71c8f5fea0bf3ac7c39a6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "38b79364-ff42-5fd7-8927-0b3a4019337b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972491Z", "creation_date": "2026-03-23T11:45:29.972493Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972498Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18deed37f60b6aa8634dda2565a0485452487d7bce88afb49301a7352db4e506", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "38c27d61-35b3-5c2c-830f-5d1938c600ae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975828Z", "creation_date": "2026-03-23T11:45:29.975832Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975840Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea80b4a2314e44061f33a7403e0740437aa34326082e97816bb6e7693866478b", "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "38c70840-a01c-5c5b-8448-650475888eb7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811222Z", "creation_date": "2026-03-23T11:45:31.811224Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811230Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1d223236124458c2e7c2373cf3fa86652516bf0b5cff91b6e142867d1e3d26a6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "38c8d154-a778-54a5-803a-1f40a4801553", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968439Z", "creation_date": "2026-03-23T11:45:29.968441Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968446Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "38d8cddf-a3a4-5fd6-b9b6-9073836f94e5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619371Z", "creation_date": "2026-03-23T11:45:29.619373Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619379Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e46bb410c3bb95a1f3d61ced157c679bfac7dc997534e46b83b234a6fc5cbb14", "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "38e46f37-c81d-5706-87de-89ec1285dff9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146275Z", "creation_date": "2026-03-23T11:45:32.146279Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146288Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "01d51df682136cce453bb1da8964073e6bc7297ce4dae7301c753bb618a69469", "comment": "Vulnerable Kernel Driver (aka ampa.sys) [https://www.loldrivers.io/drivers/ea0e7351-b65c-4c5a-9863-83b9d5efcec3/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "38e854fa-4638-51c8-9a42-fde360771eec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144158Z", "creation_date": "2026-03-23T11:45:31.144160Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144166Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6a51e10099132a96829845dd8f6aaac1a8ba71d9fdabacc5068580eb89211ad6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "38ec04fd-1785-52ca-bbe6-752758d981cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824060Z", "creation_date": "2026-03-23T11:45:30.824063Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824068Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e6bd14b5f9ace4e6615309cf6d26ede5871b0e32328b165273fd278bc6759199", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "38fef03b-8ddf-5749-8a51-24578c87880f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610263Z", "creation_date": "2026-03-23T11:45:29.610264Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610270Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "11d258e05b850dcc9ecfacccc9486e54bd928aaa3d5e9942696c323fdbd3481b", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3914e5c0-d0b4-5fec-b050-c70035fbf320", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605700Z", "creation_date": "2026-03-23T11:45:29.605702Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605707Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "16a2e578bc8683f17a175480fea4f53c838cfae965f1d4caa47eaf9e0b3415c1", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3914e932-423d-5d5f-977f-81c659219005", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822067Z", "creation_date": "2026-03-23T11:45:30.822073Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822085Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bbb894950dc19c804c44a7dce8fe9a7267311e992421faffa8912f8b8b4dc09e", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "39312fba-ea16-5c58-8ba6-a609d1cc6ed0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827855Z", "creation_date": "2026-03-23T11:45:30.827857Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827862Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2a8a37ecd464e7120c31d23ee6c4e54f20fa714e1d2fbeb6979629784083ad4f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "39464beb-a7f3-5fd9-91bd-227e6f5e4108", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159692Z", "creation_date": "2026-03-23T11:45:31.159694Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159699Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "44a9491e114f20b9f7a413fcfb9dbaebffbd88d8263322aa304667bb2ebf677b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "39471791-6a55-512a-ae1a-be6b803dca39", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470581Z", "creation_date": "2026-03-23T11:45:30.470585Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470594Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "29a04c696d544e36b5b5b054b3bfa8c7a5bc2aa261c48eded8f0265d82ec9157", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "394e7ac3-b70b-5bee-9bae-796522e7b8bb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155101Z", "creation_date": "2026-03-23T11:45:31.155104Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155109Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a60d45a4456ca9eba653112533846099bd7b92da8ded755d03cad359a4a78f7a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "39587e0b-0903-5162-8ac7-a823897e6fd3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977296Z", "creation_date": "2026-03-23T11:45:29.977298Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977303Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "45b969ae1b381716a29cd509622470b5b20b70c7efe4c9b7c0568faa298605ff", "comment": "Malicious CopperStealer Rootkit (aka windbg.sys) [https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "395d77d8-ebf5-539e-9aa0-f6f3e82c357c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981541Z", "creation_date": "2026-03-23T11:45:29.981554Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981560Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4582adb2e67eebaff755ae740c1f24bc3af78e0f28e8e8decb99f86bf155ab23", "comment": "Vulnerable Kernel Driver (aka HpPortIox64.sys) [https://www.loldrivers.io/drivers/13637210-2e1c-45a4-9f76-fe38c3c34264/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "395fe212-9a74-599d-8698-ad670a25bc0b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978371Z", "creation_date": "2026-03-23T11:45:29.978373Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978378Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3e274df646f191d2705c0beaa35eeea84808593c3b333809f13632782e27ad75", "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/a7628504-9e35-4e42-91f7-0c0a512549f4/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "397a1f1e-152a-535d-95ce-06c4560fbd44", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147841Z", "creation_date": "2026-03-23T11:45:31.147843Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147848Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "65f4d41cef7323a54f35954173de466c15b0a07219bc7810881f362576736b1a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "39801d61-de27-5902-ae06-b7cdff2dc6ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156603Z", "creation_date": "2026-03-23T11:45:31.156605Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156610Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d525a8d02162425964da64cb71cb2e268efe4bef4159b1ec9948eb791339363e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "39812975-ad2f-58bc-b565-2a7d184e24f2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971561Z", "creation_date": "2026-03-23T11:45:29.971563Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971568Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "950b672d3300bcacefe568156fbc8b16fa09da13df2f6ecda31254faaaf041f9", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3982ea71-9589-5dce-bcf5-2cddfa792d34", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475129Z", "creation_date": "2026-03-23T11:45:30.475133Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475142Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "632d62103706b29f10ee8d88c39b5963d9fe388227e78c250e8011c1a43f266b", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "398b0af0-2ef7-5230-b9c1-74a683d3cb7c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980151Z", "creation_date": "2026-03-23T11:45:29.980152Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980158Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dafa4459d88a8ab738b003b70953e0780f6b8f09344ce3cd631af70c78310b53", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "398d919d-df91-5e06-93fc-45ad0f0a8fc5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150547Z", "creation_date": "2026-03-23T11:45:31.150549Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150554Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "45ebf3df2b59032512b2b55fd5db17e777ca5fd36acccb31ff441c5d3531cb8a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "399b0dba-0247-583e-99dc-0dea7832a84d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476116Z", "creation_date": "2026-03-23T11:45:31.476120Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476129Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7bed01ddc465cc807cd0dda20a0dab4d8c750c98fc23956e632c813e1f387195", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "39a1eca2-d176-575a-ac93-2b13941f26be", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977852Z", "creation_date": "2026-03-23T11:45:29.977854Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977859Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0", "comment": "Vulnerable Kernel Driver (aka driver7-x86.sys) [https://www.loldrivers.io/drivers/670dc258-78b5-4552-a16b-b41917c86f8d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "39a79daa-7633-53f7-abe0-311ac3ca5a06", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154769Z", "creation_date": "2026-03-23T11:45:31.154771Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154776Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "480eda1cfe3d0dac4782590399966ca677f2e3094ad2cdbb9c79a4199f3b9840", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "39a8a443-3b4f-5eec-a6e8-a90f7c0336c0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463914Z", "creation_date": "2026-03-23T11:45:30.463917Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463926Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "40556dd9b79b755cc0b48d3d024ceb15bd2c0e04960062ab2a85cd7d4d1b724a", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "39b7c3c7-d04f-5949-bea8-eec49ceb274c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814185Z", "creation_date": "2026-03-23T11:45:31.814188Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814196Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "79d2dd6c0e03728a542dfb2c8c2b4f52c1049ac96ce8dd7408f8e6452d0330e3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "39b89cb3-f926-5a53-a955-78b6fca09343", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982801Z", "creation_date": "2026-03-23T11:45:29.982803Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982808Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c0e74f565237c32989cb81234f4b5ad85f9dd731c112847c0a143d771021cb99", "comment": "Vulnerable Kernel Driver (aka ProxyDrv.sys) [https://www.loldrivers.io/drivers/0e3b0052-18c7-4c8b-a064-a1332df07af2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "39cb026c-6be2-5b35-ada2-eca51acbb39e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611796Z", "creation_date": "2026-03-23T11:45:29.611798Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611803Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "33b88ac3151f2192eaf4c2be3c7ad00e49090c8b94ec51b754e19ac784b087aa", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz141_x64.sys) [CVE-2017-15303] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "39d35dc2-0596-5f83-b0a0-f239b4d4b9d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822437Z", "creation_date": "2026-03-23T11:45:31.822441Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822449Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e0cace0bf30720a79c34ad1c253313a35e15ab9f7257d0fea6b9a6b8d61f7b23", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "39dd0f2e-cb03-5457-8d53-e614cd5b7acb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145782Z", "creation_date": "2026-03-23T11:45:31.145784Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145790Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "542d3172a05ce27d264e46e05da66101781c5e8cf802196c89effc7d9c0509be", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "39de56a7-0cb8-5671-a1f7-dbc017c030d3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821442Z", "creation_date": "2026-03-23T11:45:30.821445Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821454Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "31ffc8218a52c3276bece1e5bac7fcb638dca0bc95c2d385511958abdbe4e4a5", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "39f6f5dd-9ea9-57ed-8462-875caf1faf74", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834379Z", "creation_date": "2026-03-23T11:45:30.834383Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834392Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f66b8cb2bde015e2a031fa395bcb0d6920f7b55e229a5c88e0ec5772708a9dbe", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "39f7c046-3d67-504c-96af-05c5d4750b48", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151178Z", "creation_date": "2026-03-23T11:45:31.151180Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151185Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8c14d101cf793d7de96dc1d2551bf5e4747e7a80b2c1878116321024be257bb0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a09c3f2-96d6-5535-ab43-5f98f2c74e67", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467849Z", "creation_date": "2026-03-23T11:45:30.467852Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467863Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0895a8fa3ee38bb38cb9fcd0183cf9466c7577eab746b3540bd0b2f282246dc6", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a0b47ed-623a-5a9a-8cd6-e148521a72d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488466Z", "creation_date": "2026-03-23T11:45:31.488468Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488473Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "99d89d9b0352e810b9084e8a4273c5a5e1609c72029e9115e9bc1407bbea9f35", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a0fa602-fb5e-5a76-a3c0-f8fe830e7417", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973322Z", "creation_date": "2026-03-23T11:45:29.973324Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973330Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d884ca8cc4ef1826ca3ab03eb3c2d8f356ba25f2d20db0a7d9fc251c565be7f3", "comment": "Voicemod Sociedad Limitada vulnerable driver (aka vmdrv.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a238d8c-3820-5fa6-8114-211d31f65d87", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830890Z", "creation_date": "2026-03-23T11:45:30.830892Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830898Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "afe2ddf92a2c0f32c58ab6fdd40bf1120d161e036ac54a3cb29e5f8cb98d4c37", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a2a6a4c-262e-58e9-bf5e-32c498eda778", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142072Z", "creation_date": "2026-03-23T11:45:31.142074Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142080Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "38e4469b142f388b6fbe9ce712ee00d590087d470ca5be8bb19df321ce5b4bbf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a2d86d2-d71c-502a-8a32-26df74ac78a5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616783Z", "creation_date": "2026-03-23T11:45:29.616785Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616793Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d052299252f0f0bd70b5e7c46b9ca71a99a052b47f693582becb6f0d567e8245", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a37ec5b-f4ee-5e25-8c8a-14b5a498cba9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468719Z", "creation_date": "2026-03-23T11:45:30.468722Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468730Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8c87d5f1261a367493fd2f240ace027bef5b178cff3dea22d45e8fa2b0f0541e", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a38406a-f562-5371-91b7-7052ae1b7f15", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610512Z", "creation_date": "2026-03-23T11:45:29.610514Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610519Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "67734c7c0130dd66c964f76965f09a2290da4b14c94412c0056046e700654bdc", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a3d5498-891b-5876-bc24-6e640dbb2556", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482507Z", "creation_date": "2026-03-23T11:45:31.482511Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482520Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "167076cfb884ad82996eac9cf9dd02aec1e149ddfff11b5c4e8fc378f4898944", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a408110-c1d3-50c6-bc13-0416ed7a34b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829978Z", "creation_date": "2026-03-23T11:45:30.829980Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829987Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3468c3bdd003bc14864251addf657ddc5111e8c2fbfd14678cc98fec06f112f7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a4339fd-e588-5ec0-a0d6-01a5a746d1ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462670Z", "creation_date": "2026-03-23T11:45:30.462674Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462682Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b8c71e1844e987cd6f9c2baf28d9520d4ccdd8593ce7051bb1b3c9bf1d97076a", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a4783a3-0442-5285-9d29-47352d6c28d8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822746Z", "creation_date": "2026-03-23T11:45:30.822748Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822753Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "11e76c3f091b3771d881e82f7171e72228bd43877aeea9008d7de4bda184aec2", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a496165-fea9-5a6c-a60e-2a31daa12650", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983473Z", "creation_date": "2026-03-23T11:45:29.983475Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983481Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "04a269dd0a03e32e5b2a1c8ab0768791962e040d080d44dc44dab01dd7954f2b", "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a51b5e9-d549-5b8e-a04c-d94dc20a213e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457336Z", "creation_date": "2026-03-23T11:45:30.457340Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457348Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "888491196bd8ff528b773a3e453eae49063ad31fb4ca0f9f2e433f8d35445440", "comment": "Malicious Kernel Driver (aka 4748696211bd56c2d93c21cab91e82a5.sys) [https://www.loldrivers.io/drivers/2d6c1da6-17e2-4385-ad93-1430f83bde83/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a6293fa-8db4-5c7d-a184-0bb3905bc3f9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607470Z", "creation_date": "2026-03-23T11:45:29.607472Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607477Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0cf6c6c2d231eaf67dfc87561cc9a56ecef89ab50baafee5a67962748d51faf3", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a68153b-1bd7-52b4-a5ce-050c2b7db2db", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462171Z", "creation_date": "2026-03-23T11:45:30.462174Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462183Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e7a6c3a40724ba871e13d9c55b7967ed252777a2382fea86e4ed6a2a8203fb4a", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a6c7d63-0f96-53a2-9170-10068c0f4992", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480015Z", "creation_date": "2026-03-23T11:45:31.480019Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480029Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "24790097b421265d0cd487a141d6ca7a1e6dd1064d6e333b50335649115580b7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a6e9ebc-b0ed-558f-a81f-33087ea978ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611150Z", "creation_date": "2026-03-23T11:45:29.611152Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611157Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0aa61910c3ceb765441c35925a50983b2571ac22da510f1495cf82f078b535b6", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a7162fa-e102-56de-a25c-5d16f2a4469c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142646Z", "creation_date": "2026-03-23T11:45:31.142648Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142654Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "13241f289d7485b2ff12636ea372ebc6a3f74f427a1d98edf300d6d03b7ad177", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a7ace89-fdd3-579e-b0c6-e6bccbe1c4b5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973889Z", "creation_date": "2026-03-23T11:45:29.973891Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973896Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a903f329b70f0078197cb7683aae1bb432eaf58572fe572f7cb4bc2080042d7e", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a8d6678-3710-5568-b5d2-1ab9a24c45dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829096Z", "creation_date": "2026-03-23T11:45:31.829099Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829109Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "857a12a70625608a37404e85476180042c5be465ac7d7ba9ed6b126995182218", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a8fd3b6-87a5-56ec-89d3-33148e7f16f9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825106Z", "creation_date": "2026-03-23T11:45:31.825110Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825119Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c55e8ca84c630170f790b8f9046f7cc555819aa0aa82728986d50cb5be5bd671", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a91bd9d-f542-53e0-b2a2-d05f717967f7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971069Z", "creation_date": "2026-03-23T11:45:29.971073Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971080Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3afd07a7775c13bf147b3ea25fd8fde7cce51bab90753b5af44dc2945d64d699", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a97ea3f-c467-5e68-9cc8-95d7d25bc220", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977961Z", "creation_date": "2026-03-23T11:45:29.977963Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977969Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae5cc99f3c61c86c7624b064fd188262e0160645c1676d231516bf4e716a22d3", "comment": "Vulnerable Kernel Driver (aka LgDCatcher.sys) [https://www.loldrivers.io/drivers/a8e999ee-746f-4788-9102-c1d3d2914f56/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a982bd1-a4e9-5184-a840-8443a45600b0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819704Z", "creation_date": "2026-03-23T11:45:31.819707Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819716Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b1409728d31fe9f8921a9380dd206ab61688c3a67c5b508bf5bbecf4b93bd5c7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3a985471-8966-5069-b6bb-bbb46f191caa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982236Z", "creation_date": "2026-03-23T11:45:29.982238Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982243Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9a91d6e83b8fdec536580f6617f10dfc64eedf14ead29a6a644eb154426622ba", "comment": "Vulnerable Kernel Driver (aka KfeCo11X64.sys) [https://www.loldrivers.io/drivers/76b5dfae-b384-45ce-8646-b2eec6b76a1e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3aa1e839-aa57-533a-979d-c2180e1a2456", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824543Z", "creation_date": "2026-03-23T11:45:31.824546Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824552Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c265291f7d561017b9c60e372e5f8e4e1ccf0009d288776b3e21084d3c392798", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3ac571cf-513e-5a91-b099-3177cc7754e0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146341Z", "creation_date": "2026-03-23T11:45:32.146344Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146349Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a282ba45dd3727203ba40cc8f5f79167bb2d461fe294a49557f4667db1e05658", "comment": "Malicious Kernel Driver (aka driver_bfcbc010.sys) [https://www.loldrivers.io/drivers/dbfcce10-76a3-44a4-a9b8-d7126152a235/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3ad8e293-1a23-5378-abdb-b81ddb0a03a7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485163Z", "creation_date": "2026-03-23T11:45:31.485166Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485176Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6cee8e34dbc221dbb841c0f89db36e70625cebcb4002058aa0af2d34d7ac6b74", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3ae472ba-a480-59b5-bf71-ae3a3880b73e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609980Z", "creation_date": "2026-03-23T11:45:29.609982Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609987Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "34f36a59ecf6174eeac15994e54c41fe1e3e3b1eee8ed4c399ec8c63212373d7", "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3afbd620-96f2-5039-b74a-5a8f9b49e012", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615832Z", "creation_date": "2026-03-23T11:45:29.615834Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615839Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5c22b7f65de948fdb74ffc3b5bae68f109bf7404a154ddbfa25dfd53e1bde667", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b03c9d7-2107-5d87-a0e3-acaa6792a378", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831802Z", "creation_date": "2026-03-23T11:45:30.831804Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831819Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5e99507bfbaf16bc39a59e570226a898b26e2a9ce276c0a79aa4a65e7f6e2b17", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b0a2646-a464-5600-9e91-ce5383bedd98", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822547Z", "creation_date": "2026-03-23T11:45:30.822549Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822554Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "00b3ac33836f15ea53e81746ffa7c2888dc3c98492b59a97ba5a0a64166900d0", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b143314-d580-56ca-bb65-5ec525d04cca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815041Z", "creation_date": "2026-03-23T11:45:31.815045Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815053Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6925affc3b3e3bcdc1cc92d1f816a613be9de35e28db36d4cce9481f28dbbca1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b2caa4d-43b4-5e0e-9ef5-37bc41817998", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816416Z", "creation_date": "2026-03-23T11:45:30.816418Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816424Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "458efd66c94cd83cbd190d72c329b6c0cec3387802db8ca3cd530a84f80ce2b8", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b3f2274-1436-5f86-9479-60c508fb399a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481767Z", "creation_date": "2026-03-23T11:45:30.481769Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481775Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8c33314792854eef6c6cc4bd1cc4b00f1feed35e8bd260dd4ab0d93b1f6165af", "comment": "Vulnerable Kernel Driver (aka cg6kwin2k.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b438020-6411-5c7b-8fa8-c8609f04a31d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148277Z", "creation_date": "2026-03-23T11:45:31.148279Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148284Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "157e7334c5e7655ae0c107bfde777aa5d6b0c3176f97f2994761993d418814f8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b47fca2-2199-5fbf-99f4-aefd677d2164", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812240Z", "creation_date": "2026-03-23T11:45:31.812242Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812248Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3fc5a4b5ef0e979b1d16e4f6a2a766edfd1b9e80228bc0892db3f9e6adffc96e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b4c9874-7466-54ff-bb27-3320f948a34f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146564Z", "creation_date": "2026-03-23T11:45:32.146566Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146572Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a6deeea6607a7da9c8b4087d1424aac6dbbe70831e93c835b5a9e4a80ae59f28", "comment": "Malicious Kernel Driver (aka driver_a6deeea6.sys) [https://www.loldrivers.io/drivers/f694c0e1-b75d-4c41-acbd-a87b72d8abe4/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b4dcfa9-d9ae-5aa1-8fcc-ff0fe841a1df", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604355Z", "creation_date": "2026-03-23T11:45:29.604357Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604363Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "70bcec00c215fe52779700f74e9bd669ff836f594df92381cbfb7ee0568e7a8b", "comment": "Vulnerable Kernel Driver (aka STProcessMonitor.sys) [https://github.com/ANYLNK/STProcessMonitorBYOVD/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b5495be-6a61-5fd4-b71b-4e4cd3e53830", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622616Z", "creation_date": "2026-03-23T11:45:29.622618Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622623Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "31f4140c12ac31f5729a8de4dc051d3acd07783564604df831a2a6722c979192", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b5620ad-f93a-5301-8f1f-e37ccbc282f4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152686Z", "creation_date": "2026-03-23T11:45:31.152688Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152693Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0d2e499e573f90ae279f381b952ff76b6d43ac34855946e2a0a79bdbd4ae2165", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b5d14c4-80a1-557e-a4ac-c69502851596", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147165Z", "creation_date": "2026-03-23T11:45:31.147167Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147172Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e95946ab82b3992a3f89a25e6e67f08ab2d086e7ba6f2d8efff2cca76b96f407", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b61727e-27a8-5ece-995c-622986c6c3d8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605174Z", "creation_date": "2026-03-23T11:45:29.605176Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605181Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "08b1b690730707fe4c04d4a8e05e229a58ef2bb7cdf8930c6a34c7ea4983c93d", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b6a026c-042e-5646-8575-29a40078c2cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610048Z", "creation_date": "2026-03-23T11:45:29.610050Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610056Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19696fb0db3fcae22f705ae1eb1e9f1151c823f3ff5d8857e90f2a4a6fdc5758", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b6b5d42-047f-5701-b816-ea56808153fc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809099Z", "creation_date": "2026-03-23T11:45:31.809101Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809107Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "71146bcb72abe1519c249a997e237b81a5e1114cd11d597be288f1fb14ec8950", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b6e38a6-8668-5363-babd-bb8e724d9d9c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983884Z", "creation_date": "2026-03-23T11:45:29.983886Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983892Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d23bdbaf9905259d858df5bf991eb23d2dc9f4ecda7f9f77839691acef1b8c4", "comment": "Vulnerable Kernel Driver (aka iomem64.sys) [https://www.loldrivers.io/drivers/04d377f9-36e0-42a4-8d47-62232163dc68/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b754c0f-746d-5bd0-bd45-bb46522bdf02", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970332Z", "creation_date": "2026-03-23T11:45:29.970334Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970339Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bee3d0ac0967389571ea8e3a8c0502306b3dbf009e8155f00a2829417ac079fc", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b77122e-246c-50c3-a517-abe3cadb9fdb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808558Z", "creation_date": "2026-03-23T11:45:31.808560Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808566Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "76346678c5d72ce03497bcf4fb35e4c1f64edd453fd755e4b6adda69198ea4f6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b7aa0b2-2dd3-593e-9f68-fd7581590704", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148260Z", "creation_date": "2026-03-23T11:45:31.148261Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148267Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a77532f83971f8d0a982331e4b1d2529e736e52700f99ef646004271ea086217", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b82d260-d3c2-5d88-8e45-95e63c8de79b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812703Z", "creation_date": "2026-03-23T11:45:31.812706Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812714Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0a023cdcc0d263f711310ee1161bc05a04b596fcb5915939a684fdc9e20139b3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b8aff84-1923-526d-935c-de85a5980537", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828084Z", "creation_date": "2026-03-23T11:45:30.828086Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828091Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "810ab8565dfc1d44151ae8c878be0944abf706877e31f51a12695c06efbec4b9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b901092-727a-5aa7-9c74-f99c9457aa56", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476052Z", "creation_date": "2026-03-23T11:45:31.476056Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476065Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f50b81473c5bf95988b4c8a0e8eabd83648384dc96180ba197e3e18f3aac0a5d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b9ad25c-ae7a-5038-9c69-63260519fe4c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609962Z", "creation_date": "2026-03-23T11:45:29.609965Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609970Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a363deaf1790e9c0610e07a7203749aab8b60f5ededc944abc0ef3010f5e2105", "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3b9ce25a-9dee-5045-8775-d8a47dc50ae8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827176Z", "creation_date": "2026-03-23T11:45:31.827178Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827183Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "781b7d5905d14e413214d0d72734441fca5fd3cf906a1403d231359024ecc296", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3ba27702-bd96-563a-ae42-6ae696246e7d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461810Z", "creation_date": "2026-03-23T11:45:30.461813Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461822Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3033ff03e6f523726638b43d954bc666cdd26483fa5abcf98307952ff88f80ee", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3babf603-8f45-5ea9-b206-a36f01fd7707", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605504Z", "creation_date": "2026-03-23T11:45:29.605506Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605512Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f3576ebbab0429cb0b7624836821f5f062c60cdda80432768544f0ff9ee79b55", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3bd2bf60-daab-5ab9-8247-225b5b1292fd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472836Z", "creation_date": "2026-03-23T11:45:31.472839Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472849Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fe3320bb661b71a041cf0d6964db8cdc0d1210a0a6a21012a979a208a6715b30", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3bd7085a-822c-552d-9135-80c21909757f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819691Z", "creation_date": "2026-03-23T11:45:30.819693Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819698Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4d777a9e2c61e8b55b3c34c5265b301454bb080abe7ffb373e7800bd6a498f8d", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3bdd31a0-2846-5813-b231-88d99bbf0a7f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480732Z", "creation_date": "2026-03-23T11:45:30.480734Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480740Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bfc121e93fcbf9bd42736cfe7675ae2cc805be9a58f1a0d8cc3aa5b42e49a13f", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3be063c8-46d0-5abc-9e05-a6280ed5ce7e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461668Z", "creation_date": "2026-03-23T11:45:30.461671Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461680Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "208ea38734979aa2c86332eba1ea5269999227077ff110ac0a0d411073165f85", "comment": "Vulnerable Kernel Driver (aka titidrv.sys) [https://www.loldrivers.io/drivers/705facba-b595-41dd-86a6-93aefe6a6234/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3bea576f-f35e-50f0-855d-269ca19841fc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492757Z", "creation_date": "2026-03-23T11:45:31.492761Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492769Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2c0d7ab7cf7d60bc75e37ad417daca7ab8c4916485270b13d5cea7e1fd953b2f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3bf26f1a-62bd-5c90-a0e8-7f730b22fe47", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470814Z", "creation_date": "2026-03-23T11:45:30.470817Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470826Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fcad50a13dcf1eeefffe2c2f51a052fd13bfaeddb0bd1f3c2353c64284ea62e2", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3bfd60ed-6600-5aeb-9620-d6b92e26a5dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985832Z", "creation_date": "2026-03-23T11:45:29.985834Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985839Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "16a1977a9251d6d4bec86bb0702a97bcaefa94444bbfe3978af2f79ee10d62a6", "comment": "Malicious Kernel Driver (aka NQrmq.sys) [https://www.virustotal.com/gui/file/ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3bfdc963-0463-50ad-821d-b7a6c4799a86", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982555Z", "creation_date": "2026-03-23T11:45:29.982557Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982563Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "389d04a947be32b43eab5767f548fc193e9ac5fe5225a3b6dc26ddc80c326d7d", "comment": "Malicious Kernel Driver (aka daxin_blank1.sys) [https://www.loldrivers.io/drivers/1bf3b155-752a-4cc7-beb0-f202e525eb1a/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3c02528b-4c5b-5c33-b0fb-66739f908bf3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155596Z", "creation_date": "2026-03-23T11:45:31.155599Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155604Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a3bdfd308d29f5f5c07035701a30d4120b69c7ae4003ca179a41e69d9e6b961c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3c025e53-97ec-5444-a1a0-5835d910d984", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981367Z", "creation_date": "2026-03-23T11:45:29.981369Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981374Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "854bc946b557ed78c7d40547eb39e293e83942a693c94d0e798d1c4fbde7efa9", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3c04061b-eed1-51ed-99ed-fa4a4dfef853", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810362Z", "creation_date": "2026-03-23T11:45:31.810364Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810370Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "087c53edab3309eb60f7663438c24b515818de19702a53bf0e9cf445f12133fd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3c0f29bd-c90e-5122-abc2-1799dba648b8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455556Z", "creation_date": "2026-03-23T11:45:30.455559Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455568Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "76af3f9fa111d694e37058606f2636430bdd378c85b94f426fbfcd6666ebe6cc", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3c12a4d2-4f80-540d-aec2-20987bd9183e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824331Z", "creation_date": "2026-03-23T11:45:30.824334Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824339Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "df276afe1f65f0705c18cf52d37f32e4a3f1ea9ff36fa5fe6012b687da2bebe1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3c1398a6-613f-5df0-891c-0507517974a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499538Z", "creation_date": "2026-03-23T11:45:31.499541Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499549Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47f7c0b0212d3e5d881d821ab0697aa9beb29da8c67d6d513b51329594063b1c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3c145121-9f67-5acd-81bb-f0c02d58b07a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984122Z", "creation_date": "2026-03-23T11:45:29.984124Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984130Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8aba8df5a1aa3f14551047c8c9dea2b2d5867f2ad4dec89b53530c96a13c84db", "comment": "Vulnerable Kernel Driver (aka CupFixerx64.sys) [https://www.loldrivers.io/drivers/c98af16e-197f-4e66-bf94-14646bde32dd/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3c151a64-55ea-5ea3-a72a-55293b1aefd5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467590Z", "creation_date": "2026-03-23T11:45:30.467593Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467602Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "028011ae3cd1d972b7c46fc8261f583d1fe5dedcef02ee63ee532b3668bfdc25", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3c17e236-a3b6-580e-97db-61400a65850c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613563Z", "creation_date": "2026-03-23T11:45:29.613565Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613571Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ac7b3c3b74e6e282c7f50c17a6213b81b181f779cd7c0c78e3cb426c427a98db", "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3c319db3-903c-5dfd-9650-924206544b1c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814494Z", "creation_date": "2026-03-23T11:45:31.814497Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814505Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "530cdaa6c56ba94938ea82a4a2e91b8dfcd5a7a1faac320600cc9f43adf10b3f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3c4f5941-bb5e-5617-9618-a728eb262939", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816865Z", "creation_date": "2026-03-23T11:45:30.816867Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816886Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "05c15a75d183301382a082f6d76bf3ab4c520bf158abca4433d9881134461686", "comment": "Vulnerable Kernel Driver (aka CP2X72C.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3c5202dd-ebad-56d6-8a6b-e46afc303089", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477581Z", "creation_date": "2026-03-23T11:45:31.477584Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477594Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5d160f1e1eb14430974e27e865d58ef410d987a1142409f24f7dfb6bb61ebe03", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3c630abb-6e00-5531-a584-7e661688169e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490138Z", "creation_date": "2026-03-23T11:45:31.490140Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490145Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1bc1c957ed632fd4e19c3f39f1e3e73fc9f34e363077329fceaecb36892c6ce3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3c6ed26d-3e6b-5f4f-9a34-1cb50f6b1912", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489501Z", "creation_date": "2026-03-23T11:45:31.489504Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489512Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fbcaf228879ba5effe4b49da888e0cf197bcfbce92ecd297c5f756353fd29f40", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3c87dc52-db4a-5193-a8fe-8c5af28185cd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154519Z", "creation_date": "2026-03-23T11:45:31.154521Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154526Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d2b1e51eaf700909df86108f021961970ec24721b66d3248f64be7f15fc9482f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3c8d35fd-cc3f-5564-947f-73cef799bb13", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481615Z", "creation_date": "2026-03-23T11:45:31.481619Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481628Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e1ebac06f8f63c3afd1428849b68ca03567b14fddf79f4cb91561b51a89c025b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3c8daf89-46c4-542d-b6ce-097fa65b32c6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828842Z", "creation_date": "2026-03-23T11:45:30.828844Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828849Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7c0744d29a4d956fd34a41e804fe486250ecac8da878fc110ef219d6bcbf294c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3ca41381-7c6d-5b18-9901-76b7c1122871", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825335Z", "creation_date": "2026-03-23T11:45:31.825339Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825348Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "95557ce0e6600ff4883577ff18c58379f1276db52aed9af01a6588131e3a5167", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3cabdaf0-8fea-5866-b62f-b75bcaedc76b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980254Z", "creation_date": "2026-03-23T11:45:29.980256Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980262Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0507d893e3fd2917c81c1dc13ccb22ae5402ab6ca9fb8d89485010838050d08d", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3cb25458-98d1-5b57-9128-f763d166c1e7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817286Z", "creation_date": "2026-03-23T11:45:30.817288Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817296Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6fcb7131bc940fc01dc5444a1ae18bf299e92c3155a783629007cf2a61cda9db", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3cbcc79e-794a-5b98-856a-1617552d40b8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140294Z", "creation_date": "2026-03-23T11:45:31.140297Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140305Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c712475ca6730e1c1251e30cc137391fae733cc316bb4e09dc9d8cc0943b285", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3cc47fbe-2ec2-515f-94fc-36e53e2a8cc9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618497Z", "creation_date": "2026-03-23T11:45:29.618499Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618504Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "372c6118541efaa800bcba6e0c1780f9beb8cab6f2176bcc5fe3664ea19379e4", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3cd0e340-f49f-587b-89a8-687ad19416ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617989Z", "creation_date": "2026-03-23T11:45:29.617991Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617996Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3b2ad08123e8ed2516548240cfcdf5eefd89293f31070a6cd3949ee1b66fed14", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3cd6bd37-264c-5f89-80ad-25bb294db2fd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821672Z", "creation_date": "2026-03-23T11:45:31.821674Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821680Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9ce73093c56112af457da031aae34076a633184258a0a0957e28fbb0e7791c6e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3ce5f9c5-527d-54b3-aec2-cd4ede2f5e37", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813374Z", "creation_date": "2026-03-23T11:45:31.813377Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813386Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fa2848cf2cd9f9b241c73ba092460777573828c50eaafed6983f1c5d62edba84", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3ceb8874-4fc4-51f5-9255-3f75fedb782b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981890Z", "creation_date": "2026-03-23T11:45:29.981892Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981898Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "129fa1795cffca9973f59df59f880a9f2bdb3aa9873363f8e2f598ccc6e32542", "comment": "Vulnerable Kernel Driver (aka DirectIo.sys) [https://www.loldrivers.io/drivers/ce2d41fd-908f-414c-b6b5-338298f425b8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3ceba656-7adf-5d40-8f6b-b98757cf91bb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147077Z", "creation_date": "2026-03-23T11:45:31.147079Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147084Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7906e164394dcbf1e06cc8001a5f1ddd6c479029e37c65ff5636796be1fac135", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3cfc893a-a638-5270-bd66-ed199be912da", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821757Z", "creation_date": "2026-03-23T11:45:30.821760Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821769Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3f3684a37b2645fa6827943d9812ffc2d83e89e962935b29874bec7c3714a06f", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3d02f2ea-81af-596c-be07-750c5d09c798", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495818Z", "creation_date": "2026-03-23T11:45:31.495820Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495825Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5df98d47f1c72157d3cac0a499296e2e5b741f5aed7aca9134e1952a39dbb55a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3d0af958-0118-59a2-bc4a-dc1535b48e0c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820106Z", "creation_date": "2026-03-23T11:45:30.820108Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820113Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "717242ad6a3afb6f236890caa44501a4be8d0ab019f028ba2c74d3455f065804", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3d0dea25-74ee-567c-8db2-be53fe771af9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974644Z", "creation_date": "2026-03-23T11:45:29.974646Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974652Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "af45d91fefd4dfffda0ce70957a542b68775368432e52d20dfdf0fc159495c7f", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3d0f4486-53c2-5f01-9083-611db0bd78e8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.478802Z", "creation_date": "2026-03-23T11:45:31.478805Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.478815Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6981813c6d68c56fcb1366a57dd34a2f73c365043dcc7d64efb51db3fcff7147", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3d367f93-5778-50ad-83e8-f6ae9e3f1afd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615203Z", "creation_date": "2026-03-23T11:45:29.615205Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615210Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "745273e1620bc657d2210ae1b5abb49f4f5928829f95c8ef01ce151bdbb4c32f", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3d3699b0-31c0-5840-a3f7-e6e7406dc53c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967826Z", "creation_date": "2026-03-23T11:45:29.967830Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967838Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "74b432289de1302c53356b92ebebc0ac92e8159ab7746444e1ac85f7e90cd28e", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3d38e0f2-c4b2-5389-8a4a-32303f611b71", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488845Z", "creation_date": "2026-03-23T11:45:31.488847Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488853Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "02ac34d10a3e72c1fec7ebce30cd20db595bf45efe7e8cde888d2dcfc56dca9a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3d3b0db9-7403-5a3b-abce-6c10bdad3f64", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620745Z", "creation_date": "2026-03-23T11:45:29.620747Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620752Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ac3f613d457fc4d44fa27b2e0b1baa62c09415705efb5a40a4756da39b3ac165", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3d50a747-b61a-59be-a6d4-17147b52a401", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468461Z", "creation_date": "2026-03-23T11:45:30.468464Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468472Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "edf05640ad7caa10756cc4163e926de74157da1d81b4d245b602a36f4c8cb4d0", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3d61eae8-4969-59fd-8ba2-f3eb89410789", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453431Z", "creation_date": "2026-03-23T11:45:30.453435Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453444Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c4f56281d762bfaeb2168c13f3349611c8e3443602d2015540a742d6e79e6bc", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3d679b27-70a2-5176-8a0b-1e178d0087a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491706Z", "creation_date": "2026-03-23T11:45:31.491709Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491719Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6a33b8de796951d3140ce8441be03c748fad27efb1eed5ececd9ce5cc1c9d38c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3d91cf19-1299-5782-9365-96483f8bbc75", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480493Z", "creation_date": "2026-03-23T11:45:31.480497Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480507Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6ecec4fe9e9cbc648b7fb4ebec945268f5f1e2a73cf07efb3c29d67c4fe685a2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3d978851-0b46-5ed2-9399-d8641158f61b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480064Z", "creation_date": "2026-03-23T11:45:30.480066Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480071Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "68105d0f74ab436d36a741095d9ac08b8316e926727d59f3fe874395b291615c", "comment": "Vulnerable Kernel Driver (aka iscflashx64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3d983f17-85c1-5f33-aaae-e0fa398f14af", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159457Z", "creation_date": "2026-03-23T11:45:31.159458Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159464Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9d59246ccbe367e762c60a6dc64ccbca2afed2e3d48339dd461c8736c643a521", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3dbe74ce-1467-51e2-8144-6ed163467f23", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816155Z", "creation_date": "2026-03-23T11:45:30.816157Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816163Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ad8c38f6e0ca6c93abe3228c8a5d4299430ce0a2eeb80c914326c75ba8a33f9", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3dc19227-8e27-5bc3-ac0c-f517ef56d5b0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983229Z", "creation_date": "2026-03-23T11:45:29.983231Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983236Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "71fe5af0f1564dc187eea8d59c0fbc897712afa07d18316d2080330ba17cf009", "comment": "Vulnerable Kernel Driver (aka DBUtilDrv2.sys) [https://www.loldrivers.io/drivers/bb808089-5857-4df2-8998-753a7106cb44/,https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3dc4b816-2c71-5a94-b3b3-d2158adac29b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822980Z", "creation_date": "2026-03-23T11:45:30.822982Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822987Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a0dbcf82dc346a49a816b3a6283392c9f2531661e460072ba063be898e5cbda0", "comment": "Vulnerable Kernel Driver (aka SBIOSIO64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3dcacc0c-d480-55a3-9be8-e54d40288aa9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144075Z", "creation_date": "2026-03-23T11:45:32.144077Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144082Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2cd7a0c4e8d24404c92e4ed8539b2136028a8ca663f3432e417b00665493e13f", "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3dcc9676-b2d7-5d49-a9d7-1a62bf86854c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606865Z", "creation_date": "2026-03-23T11:45:29.606867Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606889Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7a4e4ee169fe0f1f079e5f5c1da38ea70fe717e728faf054deb180f9e37fe574", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3ddb26a4-3ffd-5213-9fc0-158a00d10dc8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457661Z", "creation_date": "2026-03-23T11:45:30.457664Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457673Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f3308899fc0ebdd04a4dacc386873c25dabe32a8f34607fb335148d2dab667d8", "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3df076fe-5644-585b-8486-7e476582899c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499322Z", "creation_date": "2026-03-23T11:45:31.499325Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499334Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "976eb2b6361c0bec3954b294089e2263084509848381b6ded0d75e87ca074875", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3df50ee6-7969-52d4-8e89-b4d961f4c386", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972160Z", "creation_date": "2026-03-23T11:45:29.972162Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972167Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff115cefe624b6ca0b3878a86f6f8b352d1915b65fbbdc33ae15530a96ebdaa7", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3dfc5d0f-a4da-5a5a-9899-2551aa4abf09", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827963Z", "creation_date": "2026-03-23T11:45:31.827964Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827970Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9efaad2e2089820dc5726e358fa731ba7788d88f8fe1fc243c3afd4cb5fe89dc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e0917b3-ccaf-5ad2-b0fa-c0b62955c887", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831985Z", "creation_date": "2026-03-23T11:45:30.831987Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831993Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1a3d046af99f88973d09dd034ac9b49bd74e2abfd829d2d73cc75b5e0d1d6059", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e1979e8-e21f-580d-b3b8-4439c588cbbe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477067Z", "creation_date": "2026-03-23T11:45:31.477071Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477081Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7d164cd50476f880c4ddd879db399bfbd53fcbbffcba3be9152e69f95d36a1d3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e255873-2c5a-5e7c-9949-0ff731100561", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620565Z", "creation_date": "2026-03-23T11:45:29.620567Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620573Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4a3d4db86f580b1680d6454baee1c1a139e2dde7d55e972ba7c92ec3f555dce2", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e3ac6bb-dbc5-57ab-bf7d-89dc089ebc70", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968705Z", "creation_date": "2026-03-23T11:45:29.968707Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968712Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8f33f349062cbaa5591760bed8b0185730e043440a302702e3be12554aa62104", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e435f38-e49b-56d1-a942-d08282ab0df5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143650Z", "creation_date": "2026-03-23T11:45:32.143652Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143658Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1ff54579dc4b76e814495d8e1d452a6f868adf06c2de0afdc5c3878b380d0a17", "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e441d39-c653-59a6-98f1-15142c8f0ba4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454066Z", "creation_date": "2026-03-23T11:45:30.454069Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454078Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cbf74bed1a4d3d5819b7c50e9d91e5760db1562d8032122edac6f0970f427183", "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/bc5e020a-ecff-43c8-b57b-ee17b5f65b21/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e4d8d40-0bd2-5cad-a69c-95acadedd0fa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465227Z", "creation_date": "2026-03-23T11:45:30.465230Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465239Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "492113a223d6a3fc110059fe46a180d82bb8e002ef2cd76cbf0c1d1eb8243263", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e53e505-5d70-5dc2-8354-20d1d0caf359", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808182Z", "creation_date": "2026-03-23T11:45:31.808185Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808194Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "65ea10f141b979601725e485131626c82f6e173bcfb5bac831fee25d59e4afc6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e5abaae-3725-58cd-83dd-1e580af07492", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977647Z", "creation_date": "2026-03-23T11:45:29.977650Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977658Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "09bc9d0606d8b96f1d9fb18741bdb43aa5c188981d298df047b8c75351d68653", "comment": "Vulnerable Kernel Driver (aka CorsairLLAccess64.sys) [https://www.loldrivers.io/drivers/a9d9cbb7-b5f6-4e74-97a5-29993263280e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e5bbe79-0cc7-5b5d-992e-60170d476749", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824433Z", "creation_date": "2026-03-23T11:45:31.824437Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824446Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0524c94ffc9460a05bce72e9f7d4fa18e3c65012400df223b319e13d2efb156d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e5c96f1-c90c-51c4-aa44-2aceba3ff44b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610159Z", "creation_date": "2026-03-23T11:45:29.610161Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610166Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b3705b47dc15f2b61ca3821b883b9cd114d83fcc3344d11eb1d3df495d75abe", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e623caa-d5e7-545b-80c0-21ba99691224", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155452Z", "creation_date": "2026-03-23T11:45:31.155454Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155459Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3ef4acefb20d9d76b65695771a22e245851e04a8eb2585a99fa725ece406ba62", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e67f682-c09a-5fb6-95cb-1fc57ce5de60", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619266Z", "creation_date": "2026-03-23T11:45:29.619268Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619273Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "082c39fe2e3217004206535e271ebd45c11eb072efde4cc9885b25ba5c39f91d", "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e6ad2a5-63b5-5bdb-9f2a-108bd94cc804", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618151Z", "creation_date": "2026-03-23T11:45:29.618153Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618158Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7c933f5d07ccb4bd715666cd6eb35a774b266ddd8d212849535a54192a44f667", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e70fd64-6344-506e-8e26-3584a117be24", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606812Z", "creation_date": "2026-03-23T11:45:29.606814Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606820Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "120f7983011211e6740d7a3a4cd2354507866ef7d36a48e2e3a9bd5b52c21c8a", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e79a4d9-fdc3-53b9-aefb-a29d269af320", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153339Z", "creation_date": "2026-03-23T11:45:31.153342Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153351Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d14bcd4178ec57464c6463b19a75b4f0549c42ccedc042c40189d68923215dbd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e842552-ce04-53e9-b0f1-f3ea51b59a92", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616433Z", "creation_date": "2026-03-23T11:45:29.616434Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616440Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bc7ebd191e0991fd0865a5c956a92e63792a0bb2ff888af43f7a63bb65a22248", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e8f1022-3f9f-539c-ba00-1a7af2c6af6b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824769Z", "creation_date": "2026-03-23T11:45:30.824772Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824780Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "991f3c936c30da549ef0be83af8cc8efbe2b9727f0437dee607591239b28c44f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e90c0e7-85c0-5c0a-832f-223bc393b7ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816822Z", "creation_date": "2026-03-23T11:45:30.816824Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816829Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9c8ed1506b3e35f5eea6ac539e286d46ef76ddbfdfc5406390fd2157c762ce91", "comment": "Vulnerable Kernel Driver (aka CP2X72C.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e9250a7-4ec4-559f-931c-7ee140b70ac0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969023Z", "creation_date": "2026-03-23T11:45:29.969025Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969031Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9a54ef5cfbe6db599322967ee2c84db7daabcb468be10a3ccfcaa0f64d9173c7", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e99231f-af8c-5d56-a1d0-7d7f6093ceb5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607363Z", "creation_date": "2026-03-23T11:45:29.607365Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607371Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f1c8ca232789c2f11a511c8cd95a9f3830dd719cad5aa22cb7c3539ab8cb4dc3", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e9c3a54-0e10-538a-82de-e3032a1c614a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820177Z", "creation_date": "2026-03-23T11:45:30.820180Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820185Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b3183d87a902db1bbdaecb37291b9d37c032ce9dfacbe4b36cc3032f5a643ab4", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3e9f797b-090f-586b-a677-43351c2e9c20", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807587Z", "creation_date": "2026-03-23T11:45:31.807589Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807594Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c21e6134ea6ceb167984d7989f5a65425d7397907c79294dc4683b9785c9cc42", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3ebb4ca2-6fdc-5a27-ae9e-0ee83186828a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159810Z", "creation_date": "2026-03-23T11:45:31.159812Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159817Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "98fcf8d6b7f61a3644566eb4ed699f7813a0aad1beb3ac7cf86b1f8aab412667", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3ebb736b-9353-5fad-9e61-f0929ad170c7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480941Z", "creation_date": "2026-03-23T11:45:30.480943Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480956Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e34afe0a8c5459d13e7a11f20d62c7762b2a55613aaf6dbeb887e014b5f19295", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3ec6cce2-1c16-5ed1-9480-7ed8a899416d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500416Z", "creation_date": "2026-03-23T11:45:31.500419Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500427Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "274c3fe5b6f2c2ff285b7c9e3820d18d1e262cd62006d83f1547644c45ae58aa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3ecc6f02-b25f-5fa7-9028-60ce0151e454", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811850Z", "creation_date": "2026-03-23T11:45:31.811852Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811858Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b8ffe85d27244973559ee995f28e9a820a36916a1e89621ed5062cfe90d9efb3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3edadbfd-9720-58f0-afa7-ef69159fcf1b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454651Z", "creation_date": "2026-03-23T11:45:30.454655Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454664Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7db320e49139f636c8b6d12b6c78b666a62599e9d59587ba87c6b89b0a34b18d", "comment": "Vulnerable Kernel Driver (aka inpout32.sys) [https://www.loldrivers.io/drivers/97fa88f6-3819-4d56-a82c-52a492a9e2b5/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3edb0957-a5e0-5eea-9b12-9cf1deb3dc83", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147413Z", "creation_date": "2026-03-23T11:45:31.147415Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147420Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19df09d385b0520c193171b372de92b13a008b7d1c74f8595e4ad3c867167e18", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3edf284f-db64-5b54-ba83-1d0f2dc13dde", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475301Z", "creation_date": "2026-03-23T11:45:30.475304Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475313Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f6d7faddc3a56875a8d24e4785a139141dd892968f70bf0e37d505af9a3324fd", "comment": "Vulnerable Kernel Driver (aka jokercontroller.sys) [https://www.loldrivers.io/drivers/4c815256-2534-4476-b15d-7cbf24c80098/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3eeaae41-f11c-59b5-92c6-72d7e858dcbd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462890Z", "creation_date": "2026-03-23T11:45:30.462893Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462902Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bc49cb96f3136c3e552bf29f808883abb9e651040415484c1736261b52756908", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3eebb93b-0cd2-5471-be03-4708539339d4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141523Z", "creation_date": "2026-03-23T11:45:31.141525Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141531Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d739cc6794bae0f69c7f92d7441809484bf9bb8537291501e1e9475f9b0016e1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3ef99461-ac78-507a-b681-86bba9679fae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604555Z", "creation_date": "2026-03-23T11:45:29.604557Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604563Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e330de98db81f9b183ef37d31e111301da669f1fc572e87acf8b8c2fe4e602b5", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3f07d1c6-173d-5d42-990f-6a7974993426", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484974Z", "creation_date": "2026-03-23T11:45:31.484977Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484987Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7b4005dfd853850dfa2560a6bbe94a22280d246e9d6cc23dff0c974eaa35e493", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3f1dbd0d-d402-5a8c-ad3a-6f68a7da874e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147059Z", "creation_date": "2026-03-23T11:45:31.147061Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147066Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8b2946c1805b365e2df58ed29cc0b77dd2afd2ea991621ae02dfaa5ceb4ba091", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3f21316d-36dd-5908-8a11-8c4b5b65e80e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969947Z", "creation_date": "2026-03-23T11:45:29.969950Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969955Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9e309324897edf07776adbb2b05252d7a2ad8140c6636bc28a5050e4ea183d40", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3f3590d4-d9ae-5a8d-ab69-db72acfa76f9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467090Z", "creation_date": "2026-03-23T11:45:30.467094Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467104Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fc26cebb27c76c6e3d22da679cff81477cab4fcabfb6f5a8a27f596ab51713ae", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3f37586b-5081-5ff4-a0b7-b987f51a43eb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610672Z", "creation_date": "2026-03-23T11:45:29.610674Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610679Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "955dac77a0148e9f9ed744f5d341cb9c9118261e52fe622ac6213965f2bc4cad", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3f4b8ba5-d866-5f3d-879f-5c792a75e676", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.161010Z", "creation_date": "2026-03-23T11:45:31.161013Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.161022Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8a8d3cc4e735124bbfe5187cf1b29305a77411ffd76c340b2d83497febb791a5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3f4c553b-3825-5c61-85ee-af0677a6d51c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816937Z", "creation_date": "2026-03-23T11:45:30.816939Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816951Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "054f04dc0ba1b20701c6f44169ea0fdd27b01a8450a44cc273b0eb0c91cbdb68", "comment": "Vulnerable Kernel Driver (aka CP2X72C.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3f4e3f34-478e-5d3e-96fe-8f9f4f4aa8d5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977225Z", "creation_date": "2026-03-23T11:45:29.977227Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977232Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "047c1d5bb80826a6f66c182fc8b5f66f59609a71e734117f20a4f98b9866bde5", "comment": "ASUS vulnerable VGA Kernel Mode Driver (aka EIO.sys) [https://www.loldrivers.io/drivers/f654ad84-c61d-477c-a0b2-d153b927dfcc/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3f52d9f7-efc2-5c5f-8196-3fde5fffca5a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969523Z", "creation_date": "2026-03-23T11:45:29.969525Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969531Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd3b38875c8b727f18cec382698624679d6413f02cf33d82a7c93b9595860b6d", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3f595eb6-3947-593d-84da-03cce1c9ebdb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621985Z", "creation_date": "2026-03-23T11:45:29.621987Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621992Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e304e5d70d3f986f623fad7f4355d5218d8c1681e423b02db0946cbe1503eb76", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3f5d6109-ab6e-5bd2-b200-9507e431d9e7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821018Z", "creation_date": "2026-03-23T11:45:30.821023Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821032Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3e758221506628b116e88c14e71be99940894663013df3cf1a9e0b6fb18852b9", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3f6a1a94-ee07-513b-b707-442307d5479b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152649Z", "creation_date": "2026-03-23T11:45:31.152651Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152657Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3bfb73ff837b9963ab2f7110b5996a08c569655c50809fbeea2efd74b7a6b5e7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3f6b720b-1c8e-5109-bf4d-255fb7abb4cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812277Z", "creation_date": "2026-03-23T11:45:31.812285Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812300Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6141922e84398c9f7ee3fd81240882650ce1074bcd5b577182ddafb066a2f71f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3f6bcb6d-177e-5e80-a010-b261c41da1c6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150806Z", "creation_date": "2026-03-23T11:45:31.150808Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150814Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "378150056e2c300fcb7d133f7c22e7a27f434532ee0c39dd0c16b433f47383b2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3f6c15cc-88e9-5d7c-b0d5-205e9e88450e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495492Z", "creation_date": "2026-03-23T11:45:31.495494Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495500Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c77dc659c0fc9018f485b2ad49b94e503cbdb36287adf8b753c48b6d4c6e574b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3f72f9ac-7ba3-5868-b435-cdce16001c32", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487326Z", "creation_date": "2026-03-23T11:45:31.487328Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487334Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d73b8a36374d9b20ec0b8c1157a51905b35efe1bca399ec9bb21f45b51174ef4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3f8833ff-d0da-577a-98bf-a29ff1ff6404", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487790Z", "creation_date": "2026-03-23T11:45:31.487792Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487798Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6d8b836c71c8667a139913f64a92befb05b7c5d033b317dc66d105f9fe4054ab", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3f91298e-302c-5c9f-ba6e-9950ab81b1ad", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143706Z", "creation_date": "2026-03-23T11:45:32.143708Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143713Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "68fcb5cf6723dd195cf6d929cf9c6aaaca649f6956eb3bd63c2c1a8391c0b21f", "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3f976fa7-08ae-5375-a0ee-c88e57fc7711", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459518Z", "creation_date": "2026-03-23T11:45:30.459522Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459531Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1cd75de5f54b799b60789696587b56a4a793cf60775b81f236f0e65189d863af", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3fa5da34-a66b-5d37-b1d3-7df59c137fb6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149591Z", "creation_date": "2026-03-23T11:45:31.149595Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149603Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "90856e306cd74eace432eae85219e1e0c9100a2f0a3e2f9eea2b0c6fd6c0e432", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3faa536d-dafc-59af-b476-996a2e0769cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820027Z", "creation_date": "2026-03-23T11:45:31.820030Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820039Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a71a5982e38a10f35e7206c08d8ecdfe90af3266eebc29921ab440116640b169", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3fab97d8-ba09-5c2e-9101-1427b5fc4117", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982396Z", "creation_date": "2026-03-23T11:45:29.982398Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982404Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "36505921af5a09175395ebaea29c72b2a69a3a9204384a767a5be8a721f31b10", "comment": "Vulnerable Kernel Driver (aka aswVmm.sys) [https://www.loldrivers.io/drivers/a845a05c-5357-4b78-9783-16b4d34b2cb0/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3faee5ce-940c-51b7-bf73-7a3c210becce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828854Z", "creation_date": "2026-03-23T11:45:31.828856Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828861Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0eee29a0c648ac6f60b3d6ad1a989d17a2a81c966fda78ccedee43b1a29273f3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3fb6a4fd-eea4-5e6e-a857-a24bc7cf5943", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475959Z", "creation_date": "2026-03-23T11:45:30.475962Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475971Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "66f8bd2b29763acfbb7423f4c3c9c3af9f3ca4113bd580ab32f6e3ee4a4fc64e", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3fb90333-a41d-5ba8-98fe-1ba812a2001d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617097Z", "creation_date": "2026-03-23T11:45:29.617099Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617104Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6999caca67b37860abb5e6d95420d1b0d04966bc6674aac3bfde4e2394ad37fd", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3fb905eb-4b03-59b3-8e72-c2fe4ed4fc33", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831966Z", "creation_date": "2026-03-23T11:45:30.831969Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831974Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a433e39aebe84fb5dcce175122236348841199310f361c14a0f7d940123260c3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3fbe5a7f-961b-5403-abf7-9fc90f6980ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156791Z", "creation_date": "2026-03-23T11:45:31.156793Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156799Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8e0cec48e65c52d54b7c2977fb1147740fa82951f72e5a9a802eec88ad5a2431", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3ff41ceb-b7b8-5334-9f8f-e3e84dda7629", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825853Z", "creation_date": "2026-03-23T11:45:30.825855Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825861Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "92f4ae495acc3196299fd44196386ca021e639ca29c21b5c2c03b7c24f207078", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3ff4a3d0-dcec-5bbf-abdd-38cdc8f3800d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610211Z", "creation_date": "2026-03-23T11:45:29.610213Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610218Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e58bbf3251906ff722aa63415bf169618e78be85cb92c8263d3715c260491e90", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "3ffbe2df-f941-570b-a9b9-83f9b8c6061c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619474Z", "creation_date": "2026-03-23T11:45:29.619475Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619481Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e657e54c341d37881837dbaf553e10bbe31ff2d6ccf9ca939ca5433ec464a73b", "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "401507f6-311a-57d5-8d59-0610ebdfbb39", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480791Z", "creation_date": "2026-03-23T11:45:31.480794Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480802Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e6b6b7606fec21af6dd3532314592dbcead7f43852044e1f3655889f50cb0704", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4016d471-bc45-5cb2-b523-62ceef6bdc24", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827428Z", "creation_date": "2026-03-23T11:45:31.827431Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827439Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2dcae7db1bb23c65b5ba8fc33cb70bd899b5885476f1a9ff8a85e3870f16068c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "401c9651-db4d-53b9-a405-4b52e05abbeb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487505Z", "creation_date": "2026-03-23T11:45:31.487507Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487513Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2c4190298c143714531a86458e5e3934fbc3fca0a9d73f44cc6757fb85e78082", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4024bcd0-78ee-54b0-a47b-ad27ea514ae0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618788Z", "creation_date": "2026-03-23T11:45:29.618791Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618797Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dcef3c2fe44a68992d2344a8ec129e9d35e7790f4317e9bd7bca6bf217252d91", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "403376f8-965d-5ce6-9a46-cf5e0119852d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489627Z", "creation_date": "2026-03-23T11:45:31.489630Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489638Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aca2d74e09757c2a29e5ed4a1530d2b33f17b11cf5a15567afef30e6fe77debe", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "404d22e7-291a-535c-a397-bfd0e70b4e80", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490748Z", "creation_date": "2026-03-23T11:45:31.490750Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490755Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "33152527615b92ced0d54dd7bf4ccd20cded5ce85232425fba7991b22942a763", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4052fa9f-023e-597e-8268-131520bb6fba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834241Z", "creation_date": "2026-03-23T11:45:30.834245Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834253Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7da06c9844088ecb59445f8d04f13a42b435ed71843fbdde8af44ef4cae234fa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4053de44-a1e7-5f18-9e4e-82ce48523feb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491574Z", "creation_date": "2026-03-23T11:45:31.491577Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491585Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1568a3eed6dffeeb9869cbcb7f6fd852d05b2eb8f78f4b4242a54e652052f4ca", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4054dfc2-c271-54a7-a88d-d6efb29cec45", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967420Z", "creation_date": "2026-03-23T11:45:29.967422Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967427Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a5c873085f36f69f29bb8895eb199d42ce86b16da62c56680917149b97e6dac4", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "405a2d52-5d19-5d06-b75c-ff8c9fefbe42", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475347Z", "creation_date": "2026-03-23T11:45:31.475351Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475361Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "74d3c4c96a2598c883561d5caabaddd71a81d6bd65760b32c93c5161bd28d596", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "406087ff-389a-5e47-a975-1c2eafd2a5be", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152035Z", "creation_date": "2026-03-23T11:45:31.152038Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152046Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "791e46f7a9464c34c95fa0f7d468b8b0b8ef5a60b766c445d78dedad2300396b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4061ead4-94a3-565a-aa93-2a7d90b688cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497651Z", "creation_date": "2026-03-23T11:45:31.497654Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497660Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7e5a1c86133049837c7a0a4e334a2e3f24f8580a4b7d1a2776a6258727f5a493", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4063d9d1-6024-5156-94a2-084e78a4fc64", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984529Z", "creation_date": "2026-03-23T11:45:29.984531Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984536Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e288439705d9be2c1f74cf8a44c3853ac3708e52c592b23398877006fadf6ccc", "comment": "Vulnerable Kernel Driver (aka inpout32.sys) [https://www.loldrivers.io/drivers/97fa88f6-3819-4d56-a82c-52a492a9e2b5/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "406446c7-43c2-5a3a-b5da-8b18ed0e4fda", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969682Z", "creation_date": "2026-03-23T11:45:29.969684Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969689Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c1b31926afb22ef6f8a3486f101da279d47c09d4acdb3a7bc743a7df8ae727bb", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4069e4e0-850f-5a57-981b-a3b89bb587e0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146277Z", "creation_date": "2026-03-23T11:45:31.146279Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146284Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e26284a5fb856e2dd08d4d170348f57bb583ec9201ad225115feed1220cb39e1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "406af8cb-e469-5353-9e17-eccec3a52c2f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481133Z", "creation_date": "2026-03-23T11:45:30.481135Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481140Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9ff4ef4bc143cb8df2ae2f800d5124b117456b2e04d4c33db766b7e8e21ea048", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "40735f29-624e-5df2-b2d6-19c27f3ec6d5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824646Z", "creation_date": "2026-03-23T11:45:31.824648Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824654Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1ccbc6ab55d49b3f095fb3225e21df9c7752a9dd31febb13bde051c74b2d2b8b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "407aef52-6273-5ec0-8312-a9d2ae2eeffe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817060Z", "creation_date": "2026-03-23T11:45:31.817062Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817067Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c1bdca534d8c83ecc2ae0f5db03d69c9687d8822662bd79c1d4640977dde2d75", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "407c1343-a14c-5554-a927-930e545dbcb1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494409Z", "creation_date": "2026-03-23T11:45:31.494412Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494421Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6a60639f3f5e821c5c2eeef8a7bcbfc3fa5dc4b96641aaa081a1ea613155f71b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "40891794-b185-56da-aeb1-2e1a65ff5fe5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485801Z", "creation_date": "2026-03-23T11:45:31.485805Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485815Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b1eb05d052ba7fa8eafbcb6d1a224203339f690fb8dd289f486aa579418fe2f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "408d6b34-a5d6-539d-9ef8-77a515f2199c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809341Z", "creation_date": "2026-03-23T11:45:31.809344Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809351Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b9ce9a3dca79650b59b056fa0805cb757e1acd9c320911ac5db701c99ab6290", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4090cd0b-8f9d-50d6-8bf4-7d732d25a89f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140511Z", "creation_date": "2026-03-23T11:45:31.140513Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140518Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f06489a6a790e5b2165fee14c6b35c31f6450f102a8bf14db59bdae51f38f8d9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "40974e93-174e-52a2-9028-ec3f4387fd57", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466100Z", "creation_date": "2026-03-23T11:45:30.466103Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466112Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f58e09651d48d2b1bcec7b9f7bb85a2d1a7b65f7a51db281fe0c4f058a48597", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "409fe022-4e7c-534c-b559-a818a1df5a54", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835025Z", "creation_date": "2026-03-23T11:45:30.835029Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835038Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b3fc6e204a8983d7c9a967c3919d41b0b04745c38086ea94fc80f60d8b4520db", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "40a13e3b-770c-5f3f-bbe5-4ca59cf152c7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981241Z", "creation_date": "2026-03-23T11:45:29.981244Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981250Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f2ed6c1906663016123559d9f3407bc67f64e0d235fa6f10810a3fa7bb322967", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "40b7d1e4-aa34-5bac-a41d-ecfd7318574f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977604Z", "creation_date": "2026-03-23T11:45:29.977606Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977612Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a52a6fe55bd1c294d6f26b68839770d97850e9ccd5ecfd7f96b9dc4386e0ff08", "comment": "Vulnerable Kernel Driver (aka CorsairLLAccess64.sys) [https://www.loldrivers.io/drivers/a9d9cbb7-b5f6-4e74-97a5-29993263280e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "40b99a0a-943e-5e3a-a20b-3c9729a77b47", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615152Z", "creation_date": "2026-03-23T11:45:29.615154Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615159Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d33f19a12cd8e8649a56ce2a41e2b56d2ed80f203e5ededc4114c78ef773ffa8", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "40b9c474-0a2f-5e85-a3ff-027294c7ac97", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825211Z", "creation_date": "2026-03-23T11:45:30.825214Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825222Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "82f20f52a3e0951ecd4684068ad79d0c0f0efb6810633cee7b195feff842c997", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "40c2ced3-6593-52ff-b103-7ff0d083fa52", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825237Z", "creation_date": "2026-03-23T11:45:30.825240Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825248Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "07d4944c3487b593ae998a8e63fb5d126e65c070bf496618174100b4bc560c3c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "40ca5533-3d89-5817-98be-ab9c6f613de8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485515Z", "creation_date": "2026-03-23T11:45:31.485519Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485529Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "69081c612cd0536f5c5396c1b570c3b5ae63aa2053d83c3c381437899018c8ef", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "40ca7117-6213-5a9a-8ce4-d165080ab765", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617896Z", "creation_date": "2026-03-23T11:45:29.617898Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617903Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "159dcf37dc723d6db2bad46ed6a1b0e31d72390ec298a5413c7be318aef4a241", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "40da7d9a-89d3-54b6-b4a3-c07954902ed1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613888Z", "creation_date": "2026-03-23T11:45:29.613890Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613896Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "543c3f024e4affd0aafa3a229fa19dbe7a70972bb18ed6347d3492dd174edac5", "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "40e7da86-a488-59a9-a674-b15cac9c3914", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616294Z", "creation_date": "2026-03-23T11:45:29.616296Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616302Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fc22977ff721b3d718b71c42440ee2d8a144f3fbc7755e4331ddd5bcc65158d2", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "40ef771e-b860-5576-bbd0-6397a9fa6ba8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472611Z", "creation_date": "2026-03-23T11:45:31.472614Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472622Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "62d9564c56479d3c20474f2a0a563d9fd674d8546de2c9b92d54a6c6d909aae2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "40f0aa3e-e04b-5113-9a12-42e323c248f5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821612Z", "creation_date": "2026-03-23T11:45:30.821615Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821623Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dda2a604bb94a274e23f0005f0aa330d45ca1ea25111746fb46fa5ef6d155b1d", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "40f26117-0b2a-5270-89ba-8987b7df09b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480401Z", "creation_date": "2026-03-23T11:45:30.480407Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480418Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4b465faf013929edf2f605c8cd1ac7a278ddc9a536c4c34096965e6852cbfb51", "comment": "Vulnerable Kernel Driver (aka GtcKmdfBs.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "40fa6648-8ac5-5c00-94ae-bd7aa0cb522f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484656Z", "creation_date": "2026-03-23T11:45:31.484659Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484669Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0c18166aadea1991c0ce4c7c5005c69d46cb9f641632e2fcc76ca4904ce1097", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "40fc0a8c-7d0e-5130-a1b5-18b1c7919e99", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813630Z", "creation_date": "2026-03-23T11:45:31.813632Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813638Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "142889356b39784bbeb55dd363909856502fb3e5f6fb506c46eb6ecbe4de3269", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4101429b-28fa-5714-b24e-ffe18be8aad8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464246Z", "creation_date": "2026-03-23T11:45:30.464249Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464258Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee7b8eb150df2788bb9d5fe468327899d9f60d6731c379fd75143730a83b1c55", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "41070809-348d-5f77-873a-25533d9b99d4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471348Z", "creation_date": "2026-03-23T11:45:30.471352Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471362Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b1d0fdfddddfe520afc18b79b18b5eef730f7586639bd05857a41c0d09a9b9e6", "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/fbdd993b-47b1-4448-8c41-24c310802398/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "41184a19-2d2e-5be1-a61f-ce9d5417a2b1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831236Z", "creation_date": "2026-03-23T11:45:30.831238Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831244Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cb0e276462962a84013194cd6f17cd604ac7775ffeea4ef4af3b2a510fc3a116", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "411b3cfd-b389-50de-8042-4a714c66310c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605989Z", "creation_date": "2026-03-23T11:45:29.605991Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605997Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f29073dc99cb52fa890aae80037b48a172138f112474a1aecddae21179c93478", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "41292acc-d9b3-5747-9f86-f3709c2082a0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493329Z", "creation_date": "2026-03-23T11:45:31.493331Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493337Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "be322d0beee8d45e0408de69ef9a27dddbefddf20f598716287bb16d3e4db549", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4130a484-9097-5047-8497-3842db87ca41", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813612Z", "creation_date": "2026-03-23T11:45:31.813614Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813620Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e92d6b974a50604b907b3f882a49cc75f0e54a027232d813aab13251257cb67", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4141f367-f7c7-5020-a410-ef19da7cb172", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155380Z", "creation_date": "2026-03-23T11:45:31.155382Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155387Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "71b7882a9b91d824c6c84fc30c5c1548fafb4e0d0eab9bfa2b45d087426a261d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "414667a5-0729-5123-8b4f-769fc65396d2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613951Z", "creation_date": "2026-03-23T11:45:29.613953Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613959Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "85ac17aec836d5125db7407d2dc3af8e5b01241fea781b2fd55aae796b3912b4", "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4147429d-3679-5a6c-be91-1312caff0657", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822637Z", "creation_date": "2026-03-23T11:45:30.822639Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822644Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "06c40abdf980ea22c8c4c50d9599db95d586354a8177e2cd670124e46a22a1f1", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "414ad226-9f53-5ece-b52f-8260ddbede02", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609411Z", "creation_date": "2026-03-23T11:45:29.609413Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609419Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c92d943a465e20f50bae8d46ea38b635d2da85ae4e34f0170fd6f451890c76d7", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "414cd694-d4ff-5db9-8967-bb70dce84134", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976696Z", "creation_date": "2026-03-23T11:45:29.976698Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976704Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d579b1853c528e54464c2607e559591ee01b0ab75bc016c14de1c38068328a81", "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4152ad10-3964-505e-8553-37a2ac65bec1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604109Z", "creation_date": "2026-03-23T11:45:29.604111Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604117Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "facc577070cf72cb8d9247e36054fcb30c60a35ae056cffac7411648c513e642", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "415b6f59-ed24-59b7-8e81-32dc2311d321", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827158Z", "creation_date": "2026-03-23T11:45:31.827160Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827165Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c7ff86dc7076bdbb447663074f8fe865a6a2df699dec55ffe0a268f086a3b9b2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "415df284-d94d-59f2-9e4a-969b80a31fd0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488604Z", "creation_date": "2026-03-23T11:45:31.488606Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488611Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "51a63a7cd94daa409f8ef380dd382efe5b0a667092333d06115d2ff370991736", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "41727382-77d5-52db-9e3f-8a2497681a31", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492539Z", "creation_date": "2026-03-23T11:45:31.492541Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492546Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b280e3370a7ea9f36a88fe087c4c0cd078274d7910726ff4dfe996786a0ffa9e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "417d8ba5-a58a-527b-8bb3-97c60564f7c6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607706Z", "creation_date": "2026-03-23T11:45:29.607708Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607713Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8399e5afd8e3e97139dffb1a9fb00db2186321b427f164403282217cab067c38", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "417e97dd-2309-5a74-a10f-3ddd39819a3d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983630Z", "creation_date": "2026-03-23T11:45:29.983632Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983638Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8920dedd3c5488ecc1db2ace55b2000d4cebf899c5e591b429d3f7767eee2216", "comment": "Vulnerable Kernel Driver (aka HOSTNT.sys) [https://www.loldrivers.io/drivers/e42cd285-4dda-4086-a696-93ab1d6f17ca/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4182c104-9471-5957-9e9d-a85182fa88b1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468917Z", "creation_date": "2026-03-23T11:45:30.468920Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468929Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ccadd6f8b6705e756544646d99f97030f291fc68377ce06f71e8c55512941c47", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "418aeb05-9824-5d35-a1fc-469cb07f4177", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475647Z", "creation_date": "2026-03-23T11:45:30.475650Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475658Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d84e3e250a86227c64a96f6d5ac2b447674ba93d399160850acb2339da43eae5", "comment": "Vulnerable Kernel Driver (aka directio64.sys) [https://www.loldrivers.io/drivers/a254e684-f6eb-40c4-a50a-7b76feb6cc02/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "418f210f-f7f4-504f-a49a-ad39f94b86cc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835573Z", "creation_date": "2026-03-23T11:45:30.835575Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835581Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "af69ca9a69ca3f344d67646851347288fd12e7cdda2752c73d30330474eb9eca", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "419a3541-0988-5d4f-9f97-5b3eff5934a6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817480Z", "creation_date": "2026-03-23T11:45:31.817482Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817487Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4bd9897e9015714c68648a43917b55d785ed9cbb56f6f8dab29bedb683a9c8b4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "419c1f2f-8fc1-5f34-970a-1b8bed129bbd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816358Z", "creation_date": "2026-03-23T11:45:30.816361Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816366Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "733789d0a253e8d80cc3240e365b8d4274e510e36007f6e4b5fd13b07b084c3e", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "419e290d-a64e-511b-991f-207c02fd7463", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617954Z", "creation_date": "2026-03-23T11:45:29.617956Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617961Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "15c53eb3a0ea44bbd2901a45a6ebeae29bb123f9c1115c38dfb2cdbec0642229", "comment": "Vulnerable Kernel Driver (aka nt6.sys) [https://www.loldrivers.io/drivers/e71f0866-e317-44d4-a456-d6f0c555aa73/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "41a13983-1ca5-52fe-a8b7-205ea2607ffb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816377Z", "creation_date": "2026-03-23T11:45:30.816380Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816386Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a01529ce82033d94802a3e0cc6a361d51200588068f5bd4f0a08ea05e061240f", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "41a95312-c9dd-5551-b80f-18a1b32ccbaf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609667Z", "creation_date": "2026-03-23T11:45:29.609669Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609674Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "28999af32b55ddb7dcfc26376a244aa2fe297233ce7abe4919a1aef2f7e2cee7", "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "41aa1e0e-a7f7-54ba-b3e1-f48ccbfa4e72", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614127Z", "creation_date": "2026-03-23T11:45:29.614129Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614135Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "43ba8d96d5e8e54cab59d82d495eeca730eeb16e4743ed134cdd495c51a4fc89", "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "41aad461-f9a2-5115-a520-dd3e5d7fdc5d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833147Z", "creation_date": "2026-03-23T11:45:30.833150Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833158Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "99fc46919b6105ecf2d4dae5aca785ac652828e42faede1468be593e52c3acaf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "41b7d4bc-0327-5f72-83d5-2493afdb32f7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811240Z", "creation_date": "2026-03-23T11:45:31.811242Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811247Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7d74454fbc48c1a5a7dc35f53d58200e49291c34f26ed274bc454abc1ba26002", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "41e36f27-0ab3-56cf-b159-d90b80516f1a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620313Z", "creation_date": "2026-03-23T11:45:29.620315Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620321Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c", "comment": "Vulnerable Kernel Driver (aka amsdk.sys) [https://www.loldrivers.io/drivers/a285591e-ad3c-46a3-a648-c58589ff5efc/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "41e43ac2-3a79-5a07-9afd-24c517047628", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828347Z", "creation_date": "2026-03-23T11:45:30.828349Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828354Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "965e2a08a3ad054cd8356ccdd7513613902ce3be7bcc262ca156e9db2cf0f4db", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "41e8b632-5520-5884-9050-4cdc14e50047", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.147040Z", "creation_date": "2026-03-23T11:45:32.147042Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.147048Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "51ad864af75441b537ab0a37cf045f19117eab5e10fc179ef1e8164d9ef5d2e0", "comment": "Vulnerable Kernel Driver (aka ThrottleBlood.sys) [https://securelist.com/av-killer-exploiting-throttlestop-sys/117026/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "41f8d812-ab1a-5ebd-b072-d7c30d506666", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154747Z", "creation_date": "2026-03-23T11:45:31.154751Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154759Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e852b54ff7357691235f9a359f8ec625fafc784f991acde0b3973621a06fbb6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "41fa1afb-8212-5384-bd77-241a7e9f6634", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817841Z", "creation_date": "2026-03-23T11:45:30.817844Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817851Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee067313bd75acae24e1661cb6807ed6148f9af34542ed77578144b21f5c8da1", "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "41fd5ea9-cab5-5332-8ab8-cd194e0a08d1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826443Z", "creation_date": "2026-03-23T11:45:30.826445Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826451Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5db520afe0278928b9b70b22e991b331d381ab959e4bb1472266dc57c9bd8e40", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "42004600-13ad-59bb-a2e0-9fa0a639aba7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610475Z", "creation_date": "2026-03-23T11:45:29.610477Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610482Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "600a2119657973112025db3c0eeab2e69d528bccfeed75f40c6ef50b059ec8a0", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "420221e4-9d20-55a2-a482-f1a335387419", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479666Z", "creation_date": "2026-03-23T11:45:31.479670Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479680Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1970441341b44c20f80b2517a42db7623dc62d57458e74894593eadca0acc9e9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4208851a-654a-5120-873e-44354ba7f6cc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498308Z", "creation_date": "2026-03-23T11:45:31.498311Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498319Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b6d6ed719ae1555fc75a05425ebc9ce79b7f47b36baffa1014e1e3d413a2f07", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4209a3e6-61c9-586c-9006-c316df385742", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829412Z", "creation_date": "2026-03-23T11:45:30.829414Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829419Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e247b7a0e986e0d9660d85b90a2f1c4d8dc3e515c339fa1e936898f86e096336", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "420ff32a-3448-5184-b3b9-6e95c9821753", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983158Z", "creation_date": "2026-03-23T11:45:29.983160Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983165Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a000d211840cb8fbcbf95c334b1d04eadb45ba03b0413c96472e47e9e22413ff", "comment": "Malicious Kernel Driver (aka daxin_blank.sys) [https://www.loldrivers.io/drivers/7e80423f-8b30-4ee2-b904-9f5421826a8c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "421114ff-0593-5dc3-bdbf-f4925659789f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468078Z", "creation_date": "2026-03-23T11:45:30.468082Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468091Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6789e1a2e0d23528a91e49851bd95bceb6ffe9927f34b52a78ecc2b1d4bc13b8", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4215f19c-f133-58ac-8a9f-29c91f4935e0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807520Z", "creation_date": "2026-03-23T11:45:31.807523Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807528Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a7d7e34a5c9298104911195dd590f209e47b62d81792aac6a1acc2e9c9cb4a86", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "42279296-c72e-5724-8287-cc4786a28e59", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832077Z", "creation_date": "2026-03-23T11:45:30.832079Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832085Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "87fbc22a0d7a65cf3078f1ff46f7b82922a3d8a5cf9b7e5d4c5bb885d1fc7009", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "42318282-1774-5511-a02a-11bc363b97f6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978283Z", "creation_date": "2026-03-23T11:45:29.978285Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978290Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b55b35284346bbcdc2754e60517e1702f0286770a080ee6ff3e7eed1cab812a", "comment": "Vulnerable Kernel Driver (aka nt5.sys) [https://www.loldrivers.io/drivers/193df066-c27c-4343-a4eb-ad2ac417a4cc/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4234a72b-d951-583b-a045-1d58879d60a9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982200Z", "creation_date": "2026-03-23T11:45:29.982202Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982207Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aa7f25d4857a4b443222934bcbb0904348a799fc884096f653d921817c0b34aa", "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/b03798af-d25a-400b-9236-4643a802846f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "423cbc49-7518-5b34-8dff-e3a5c7d2a54c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829255Z", "creation_date": "2026-03-23T11:45:30.829257Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829262Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3171fc751a20680b3eb75b6a1a4767cbe4a8296c3b4f7d93781bfe176e5a6b75", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "424203b8-e331-5d89-a3ad-fef08d05be5f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981977Z", "creation_date": "2026-03-23T11:45:29.981979Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981985Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e", "comment": "Malicious Kernel Driver (aka wantd_6.sys) [https://www.loldrivers.io/drivers/127cde1d-905e-4c67-a2c3-04ea4deaea7d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4245fd3a-e2b1-576c-979d-a85babbe99ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818701Z", "creation_date": "2026-03-23T11:45:30.818703Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818708Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5fc66378fe68a380ccfab3521657b38912ca1fe5a8d7c857f591e928ab0b4208", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4249144b-9ad1-50e6-aa0f-e5203351323a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154639Z", "creation_date": "2026-03-23T11:45:31.154641Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154646Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f35a53c8e43f4738162ce8fed947c77e435295084ed517aeb0ab605f3c31078e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "425a2d2d-2798-5660-9769-bba4b58a2fcb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498282Z", "creation_date": "2026-03-23T11:45:31.498286Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498294Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "221a23982eb9f68ce42f415449c29aafbfdc5b185ec5db7907c3036fd9e6f5a4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "425b5c62-7e16-5833-8e63-0dd9cb8c1a96", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971336Z", "creation_date": "2026-03-23T11:45:29.971339Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971347Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "76614f2e372f33100a8d92bf372cdbc1e183930ca747eed0b0cf2501293b990a", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "425cde7b-40c5-548a-835a-e9764a4dc553", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974927Z", "creation_date": "2026-03-23T11:45:29.974929Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974934Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cb21a13819bf295f34f5b34e3e566d25d880b045831e90ff610daf9e8b1f15cd", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "426791a9-29ef-59b9-9b1d-72523bf8f27c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985933Z", "creation_date": "2026-03-23T11:45:29.985935Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985941Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4f02aed3750bc6a924c75e774404f259f721d8f4081ed68aa01cf73ca5430f85", "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "426ba44c-104d-5045-9687-7fc5ab06e359", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810576Z", "creation_date": "2026-03-23T11:45:31.810578Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810583Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6a65893522643740e9ba6032804eed874dc06a7a4102cf77d6a7817db77a5201", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "42789297-8eb3-597e-9890-98bfe53563cb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978615Z", "creation_date": "2026-03-23T11:45:29.978617Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978623Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "37dde6bd8a7a36111c3ac57e0ac20bbb93ce3374d0852bcacc9a2c8c8c30079e", "comment": "Vulnerable Kernel Driver (aka bwrsh.sys) [https://www.loldrivers.io/drivers/974de971-1f78-47b9-8049-6c34f294acd5/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "428ec23c-78ac-5bf2-b728-193dd466f694", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834578Z", "creation_date": "2026-03-23T11:45:30.834581Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834590Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d9a51d54ff081f05c3ec8edb2ec962bd65551b604c8ec958d0fd7ffbef9c6767", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "429b420e-2d25-56c7-970a-2e23c0b75434", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823590Z", "creation_date": "2026-03-23T11:45:30.823592Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823598Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "46e6d35814d232f0463bae3e1d62e1223712ff2332381ba57b81b17d28094991", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "42c8f827-c7c8-5780-90ec-b0ef4a4894d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816265Z", "creation_date": "2026-03-23T11:45:31.816269Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816276Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6747ddf15cb0b7e570b67b030d999e300ad20d09f469076309f402cc89e838b2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "42d3ff0b-4f0f-5c97-aaaf-e318986da366", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983561Z", "creation_date": "2026-03-23T11:45:29.983562Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983568Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fcdfe570e6dc6e768ef75138033d9961f78045adca53beb6fdb520f6417e0df1", "comment": "Vulnerable Kernel Driver (aka cpupress.sys) [https://www.loldrivers.io/drivers/c0645f0f-9b97-4fe9-811e-2e45c250c9ef/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "42d66d37-8a8b-5e53-b993-6db4b13b5b8a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495004Z", "creation_date": "2026-03-23T11:45:31.495006Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495012Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "96d63d9e47520118cabac54ebd80b264e9f61425a2ddef2efb0433ef3ba4538e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "42d6ebb2-3e20-5065-9705-08cdd285cca9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835267Z", "creation_date": "2026-03-23T11:45:30.835270Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835279Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "95cbd3d9f485a1e5a9a24d819e21b89bcb576a937bd9b29e76bf2fd36d9abf3b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "42db1acf-3baa-559d-92ac-843995acbd49", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820408Z", "creation_date": "2026-03-23T11:45:30.820410Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820415Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c490d6c0844f59fdb4aa850a06e283fbf5e5b6ac20ff42ead03d549d8ae1c01b", "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "42e8fdf9-318f-53ee-bccf-8bf7eddcb29b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.471926Z", "creation_date": "2026-03-23T11:45:31.471929Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.471938Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1bb41517da813467dc2bc6ba3b0edfc572685b2829a4f53dedf9003ed7873585", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "42ef1fb6-5792-5e4f-bf71-bef9e3487763", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832315Z", "creation_date": "2026-03-23T11:45:30.832317Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832323Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "28026b2499bdaa4a19ed896e4bd77adb1a00b7f0575903dad25700025e588bfd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "42fc1784-da1a-533d-9023-3091c9178eca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144890Z", "creation_date": "2026-03-23T11:45:31.144892Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144898Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "277c0ad0253ae2b95029b15a1de09347ad79504e1895cd7f3d8f4301941840ff", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "43090516-aae3-540a-8c34-e2b12cb654cc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823936Z", "creation_date": "2026-03-23T11:45:30.823938Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823951Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c23d427b9e2f82b2e76990423d71302347eec638291d316162848ce5c8c9e127", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "431e8288-f2d1-5673-8d3b-0f60db8ec7f9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968613Z", "creation_date": "2026-03-23T11:45:29.968615Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968621Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4da08c0681fbe028b60a1eaf5cb8890bd3eba4d0e6a8b976495ddcd315e147ba", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "43339524-6517-5cdc-a2ce-4cd107c93ec0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461697Z", "creation_date": "2026-03-23T11:45:30.461700Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461708Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7afdb552a7fa25dd716fe3a55c988a59d120e78f9ee95067f31901f51987ab8d", "comment": "Vulnerable Kernel Driver (aka titidrv.sys) [https://www.loldrivers.io/drivers/705facba-b595-41dd-86a6-93aefe6a6234/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4338542b-c92f-57fb-ac09-e7dde9fcf460", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819071Z", "creation_date": "2026-03-23T11:45:30.819073Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819078Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "93cdc6e885459d95d5e9d6b2ee979e5cad44af1f57bca3947d594847cfbd5829", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4368beaf-8942-5979-8455-56b6fa943495", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977934Z", "creation_date": "2026-03-23T11:45:29.977936Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977949Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "58c071cfe72e9ee867bba85cbd0abe72eb223d27978d6f0650d0103553839b59", "comment": "Vulnerable Kernel Driver (aka LgDCatcher.sys) [https://www.loldrivers.io/drivers/a8e999ee-746f-4788-9102-c1d3d2914f56/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "438f0b07-003e-5208-9167-636191eb5477", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140132Z", "creation_date": "2026-03-23T11:45:31.140135Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140140Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "46bbd4f34a828cd453ccafedb8b8324c8932ad364cbeb976cd246ad87a235335", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "439744de-d70a-5c52-9d5a-80dc09625405", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473357Z", "creation_date": "2026-03-23T11:45:31.473361Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473371Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "08eb3cc0078e0cb5efa0db9840c9b50740fbc6e00c7463bd876bb2623d6f6cf5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "439d9a33-4f95-5e9b-b3b2-348f4d457193", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157314Z", "creation_date": "2026-03-23T11:45:31.157317Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157323Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "16ab022a72256fdf002fe69d9a15867c6bc710f67aacf8bd15a5518daee07862", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "43a57e7b-1e6a-5e78-ba70-9bfe97a1867b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613735Z", "creation_date": "2026-03-23T11:45:29.613737Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613743Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1d0397c263d51e9fc95bcc8baf98d1a853e1c0401cd0e27c7bf5da3fba1c93a8", "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "43aa8ac6-2aed-5369-a9a7-ca12b9fc6d51", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818899Z", "creation_date": "2026-03-23T11:45:31.818902Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818910Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bf82ad779c62df6d85fd97a21258543cf7f25947f67d9d5ce35d73a2cfef6f95", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "43b0ef74-1d6e-500b-942e-dde6933571d3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968951Z", "creation_date": "2026-03-23T11:45:29.968953Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968959Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6e0aa67cfdbe27a059cbd066443337f81c5b6d37444d14792d1c765d9d122dcf", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "43be0e44-e6ad-588c-9ae9-8c2cf439f831", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970623Z", "creation_date": "2026-03-23T11:45:29.970626Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970634Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff3612ac3d95adc372cc9df3bdcaec657740d413d8d836bf367285acc5434085", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "43d6686c-09a3-5dc4-921e-14fa7e5b3f12", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488223Z", "creation_date": "2026-03-23T11:45:31.488225Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488230Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3a7e1bdc61c90808173e4745808fec9c9d21d77111bae07ae387b12782344902", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "43dc0db8-d179-5b59-95d2-c308a08103d9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605891Z", "creation_date": "2026-03-23T11:45:29.605893Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605899Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "accc8e337514f7a29c776518f83b925d3096d51e0aedd06ab75250c463f2a132", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "43e092c4-c9f3-59a3-8fde-808f9b9c3307", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826621Z", "creation_date": "2026-03-23T11:45:30.826623Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826628Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4f981d1b09125f168c6868962dcd9e9991c494a8610874748250cfcc4af7797b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "43e96b9a-3413-5bc8-aa1a-30a5818810f2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607130Z", "creation_date": "2026-03-23T11:45:29.607132Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607137Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "87e38e7aeaaaa96efe1a74f59fca8371de93544b7af22862eb0e574cec49c7c3", "comment": "Dell vulnerable driver (aka dbutil_2_3.sys) [CVE-2021-21551] [https://github.com/SpikySabra/Kernel-Cactus] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "441530f7-6df6-5dfc-95a8-6016184450b2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156196Z", "creation_date": "2026-03-23T11:45:31.156198Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156204Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fba0815c4be3fb2b11c066560c5d0265ff94d01795a88ca74e8c7f360bdbcf7f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4419950d-04ad-5ea6-8f4d-e2ddb8dc2d44", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475475Z", "creation_date": "2026-03-23T11:45:30.475478Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475487Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4225bd4ba3f5d6d5cbd0606402aedca7342e2538abf85309ed3ccef0a738cbb8", "comment": "Malicious Kernel Driver (aka a26363e7b02b13f2b8d697abb90cd5c3.sys) [https://www.loldrivers.io/drivers/ef6b5fe8-6c4b-4b32-8adc-c1d8a83e8558/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4423177c-9e0b-59c9-85fe-a7e374c50dfe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830150Z", "creation_date": "2026-03-23T11:45:31.830152Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830158Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "85bdd4eb7868d84c15de202018937838f5c9b6b173c30cd6228cb9272b567182", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4423bf76-16fa-548e-85fd-a01e1b4beffb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811957Z", "creation_date": "2026-03-23T11:45:31.811959Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811965Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ecad5289a6955e2dd72964beb6fe9d56ce961f00dad451e955af0ce399ae4c63", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "44366df7-cc5c-556a-8ebc-32014bce353b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490023Z", "creation_date": "2026-03-23T11:45:31.490026Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490035Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a12502e4943714591eafa4a56da73d3df723ba2f873826d6b4bd48a1929a69ea", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "444857d4-8300-5edd-9957-19dcd39282de", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976446Z", "creation_date": "2026-03-23T11:45:29.976448Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976453Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "444d6267-1103-5085-bbce-8c5c7ac39698", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832712Z", "creation_date": "2026-03-23T11:45:30.832714Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832720Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6ebd3a622b92f28e6adb3570a0b9d11c166a3df492118aa7d27608735d304da7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4465a05b-a8e3-5236-b94b-d69ecf2393d3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145585Z", "creation_date": "2026-03-23T11:45:32.145587Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145593Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "56ece6b6b1d2da18458c9d8edc586bd2b9f7c4b092a9745fbed659238b2b3157", "comment": "Vulnerable Kernel Driver (aka pxitrig64.sys) [https://www.loldrivers.io/drivers/c8619f49-8e23-489b-9878-53d27533da15/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4480634c-180c-5b8a-b90e-d002b4460409", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617448Z", "creation_date": "2026-03-23T11:45:29.617451Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617456Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c825a47817399e988912bb75106befaefae0babc0743a7e32b46f17469c78cad", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4484d04f-e24e-5e1f-85e6-b60c2c1a3479", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619829Z", "creation_date": "2026-03-23T11:45:29.619832Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619839Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "85c5e66f38152d17d5b580126b3348579263bbc8fd22e5417c0090fd75a330ac", "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "44856600-f87f-5fb5-8dcb-4feaffb7a739", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494638Z", "creation_date": "2026-03-23T11:45:31.494640Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494645Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "25c22c2f8a531085ec80c2da27bd1747ff7b7aad4918b59828607edfb9f44802", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4491e865-c96f-55b6-a95f-7c0dc7c11bb4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145930Z", "creation_date": "2026-03-23T11:45:32.145932Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145937Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2559a34af1cc5cd65bfd4334d053294046e05d833937e3b6fbfe7ddd381d0963", "comment": "Malicious Kernel Driver (aka driver_d9f15d91.sys) [https://www.loldrivers.io/drivers/576bb95a-f15e-4a0d-bcee-08791e1504e2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "44935acf-c6ff-55a8-9f5f-03d963e5c209", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495529Z", "creation_date": "2026-03-23T11:45:31.495531Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495536Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee5d373e156cff39edeb97f3c5c18ff312d2157d856cd2f594af1d7cf4e61749", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "449fb1fe-4b65-5e77-b233-a152fad8466b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494222Z", "creation_date": "2026-03-23T11:45:31.494225Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494232Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b2e17957495b1fd61690f4e580a3038c5dc773d86567034669d3fe0cdc35653a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "44a43175-f9c7-5fea-90dd-0ba302eb4b6a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829681Z", "creation_date": "2026-03-23T11:45:31.829684Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829693Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9bbd93e1a032616ad55c4f8a92e78a849e424eb6d4cd945d794fbd39a234ce58", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "44bc1f4e-ebf3-51d5-b086-d7b2b200afa6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822817Z", "creation_date": "2026-03-23T11:45:31.822820Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822829Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3cba4367e05c7155638ee729e00f6cb42d35088316c62fa9cfea18a2b1af4d04", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "44c3bbc6-6281-5ee9-b4d5-d7243f2480ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615220Z", "creation_date": "2026-03-23T11:45:29.615222Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615227Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7334c46a55acf8bb18435ab60ed9b89f2c1ab31587ef052730358efc32fddb62", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "44c56f4d-5b4f-5634-ad0c-5f6667c902c0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488431Z", "creation_date": "2026-03-23T11:45:31.488433Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488438Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c57561416c054c66190056ca3a8633d6123d51f3e8c9cd032545938326f22cd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "44e44eec-6c72-54f4-8633-bfc852f8dad5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968740Z", "creation_date": "2026-03-23T11:45:29.968742Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968748Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cb8aef4049f78c3ca1c0808b95a8d3f975e00e1b570b890d1d5915e1e804574e", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "44ecf641-4932-55d7-bbe2-48e84ed5f4a2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817768Z", "creation_date": "2026-03-23T11:45:30.817771Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817779Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b8e047a7c96a94eb7cf0416253eca48fa7ba66914b684ee75e81651c83c7ac30", "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "45014412-5e9f-5477-8bf9-7c2fd94ffc25", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156380Z", "creation_date": "2026-03-23T11:45:31.156382Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156387Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ded7a01c322d1a61683b93b9f2aec35c2a2d98f7bb4aad2ffa9ba6138d7276cc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4505253a-eb61-5ab1-be9c-0ed335a9d6bc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492853Z", "creation_date": "2026-03-23T11:45:31.492856Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492865Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "65181921bd04e45ef68257afad11f3f22a864d80e7fea5dcf74f8e7cf40d59e2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "45076210-e771-5434-8038-ad17af824194", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142541Z", "creation_date": "2026-03-23T11:45:31.142543Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142548Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e9d8ba7a075bbf1085f34d64dc9225b85be30f6a61b297203db23c484878d903", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "450e0efd-0e8d-5b5a-a9a2-8dcc0e95993a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834786Z", "creation_date": "2026-03-23T11:45:30.834789Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834798Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a654e7f84e3589acb475f3962c2cf00f2f15e523ec931b11b57bdeb292981255", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "451aa41f-6b39-5662-a56b-c5619061b098", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160439Z", "creation_date": "2026-03-23T11:45:31.160441Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160446Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "54e230432e4bd8adaff7afdb4f3a0118b348b81697998701fee1018ba180e554", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "45212cfa-e44f-5ace-ae21-f7d5edfd09af", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477112Z", "creation_date": "2026-03-23T11:45:30.477115Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477125Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f15fd9b81092a98fabcc4ac95e45cec2d9ff3874d2e3faac482f3e86edad441", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4539174d-5cf9-53df-95fc-167ea0515560", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979533Z", "creation_date": "2026-03-23T11:45:29.979535Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979540Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "453ee8e1-bdb8-5a4f-867a-3de858e9a833", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456839Z", "creation_date": "2026-03-23T11:45:30.456842Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456851Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c79a2bb050af6436b10b58ef04dbc7082df1513cec5934432004eb56fba05e66", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "45586c36-5229-5c5f-8787-694a0834f01b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478484Z", "creation_date": "2026-03-23T11:45:30.478487Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478496Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1d1bd2235d422954506b1bdb3070d9d8bada3fb7f9e4f658036031294b3a95df", "comment": "Vulnerable Kernel Driver (aka vboxdrv.sys) [https://www.loldrivers.io/drivers/2da3a276-9e38-4ee6-903d-d15f7c355e7c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4562f796-91e0-5602-a4d0-30da2dbb8fc4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968185Z", "creation_date": "2026-03-23T11:45:29.968187Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968192Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9fc29480407e5179aa8ea41682409b4ea33f1a42026277613d6484e5419de374", "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4565b1bc-7f92-58aa-803e-e954df29e81c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481823Z", "creation_date": "2026-03-23T11:45:30.481825Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481831Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7c79e5196c2f51d2ab16e40b9d5725a8bf6ae0aaa70b02377aedc0f4e93ca37f", "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4569b94a-8fca-5edd-9cbf-9c0626eafc44", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972266Z", "creation_date": "2026-03-23T11:45:29.972268Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972273Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "46ec6310c5ea5e289299d40f5ecca82b9c722ffc766dfd08f36dc88835e63567", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "456cec38-b53f-5ae3-a145-2908ebfdd8f2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819812Z", "creation_date": "2026-03-23T11:45:30.819814Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819820Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d633055c7eda26dacfc30109eb790625519fc7b0a3a601ceed9e21918aad8a1b", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "457eabaa-fe04-5090-89b5-5f2cd7bd3e36", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823899Z", "creation_date": "2026-03-23T11:45:30.823901Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823907Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4bfb584ae2dd1bba593ac142b6c9a1a2640955759b72123ee7b58f8eaaa9f748", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "45887fa2-ce12-5791-9b0c-e836976d9a9f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827622Z", "creation_date": "2026-03-23T11:45:31.827624Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827630Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e1d560040819f308d820032547d9ad1cf11fdfbb400241bf877e6f5e51900710", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "459189c9-317c-5e00-ae48-ba457e6a168b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815197Z", "creation_date": "2026-03-23T11:45:31.815199Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815204Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "571c3cebc7009f1243b97dd381962e78d736b209955f8c2e5a30d970c155f3f7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "45af8571-3d48-525f-b480-ffa43e8a14aa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827380Z", "creation_date": "2026-03-23T11:45:30.827382Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827387Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b366e96694d76b1947ed0e22b574f39cbe0b6d352851b720825b8a0df1aafa51", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "45b0f535-3779-51fb-a9d2-9678488937b5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614700Z", "creation_date": "2026-03-23T11:45:29.614702Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614708Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9254f012009d55f555418ff85f7d93b184ab7cb0e37aecdfdab62cfe94dea96b", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "45b8251c-2d88-589a-b737-2e6d1e6c782c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828423Z", "creation_date": "2026-03-23T11:45:31.828425Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828430Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e4359b5925ca4333933552b4c44efe4f9d9378e54df71f7c70a9e2fdb20c2bbb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "45c30462-2dfe-54f7-b520-75808fe202bc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811204Z", "creation_date": "2026-03-23T11:45:31.811206Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811212Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "33021ab48739c767cabe762c52a7720fafdd796f8b86027000cbcce295b04458", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "45c3597a-d563-5126-84f8-f26aefb09714", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160830Z", "creation_date": "2026-03-23T11:45:31.160832Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160838Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "05f535063639c8bdfd1ef2054bff3f58ef9f4f30e88d7eeecb9f8ee915be535e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "45d06e78-c471-5ae4-82ac-b14c298f662f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156672Z", "creation_date": "2026-03-23T11:45:31.156674Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156680Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b76bdd3647d1124d3e750092a5bfaffa26b6c4f79e0891188c167f97ccb78675", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "45f62cec-5051-5f7b-a9f9-3df131519b39", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821815Z", "creation_date": "2026-03-23T11:45:30.821818Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821827Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "665b45ff2a2054ffdb3ea55031802c1d7fd3db843ecbcf74b227e0200b37cd56", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "45f69431-1fe9-57bf-b081-fe01af4598e8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486997Z", "creation_date": "2026-03-23T11:45:31.487000Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487008Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5f437fc04c721810d1885248c8f6caa1438e3af339502d2319dd3fca265fcad7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "46000d63-b246-570c-9312-3f794e710c45", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148520Z", "creation_date": "2026-03-23T11:45:31.148522Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148527Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e85fc55ac3ccd0525ca75e38f2b014d292e49fe6a3d795ff1714600e7120eb02", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "46013a0a-36d1-5140-abd5-83690ddb64b6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492945Z", "creation_date": "2026-03-23T11:45:31.492955Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492964Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7e57d43143afad8fbefa89a9a9da758e3e22bb56c75f337dc78517a633716407", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "460187ee-1b30-5c92-a3cd-0d53b85c4095", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.147022Z", "creation_date": "2026-03-23T11:45:32.147024Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.147029Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0", "comment": "Vulnerable Kernel Driver (aka ThrottleBlood.sys) [https://securelist.com/av-killer-exploiting-throttlestop-sys/117026/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4613b875-0d91-5a2c-b65d-7ff847735fc0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606192Z", "creation_date": "2026-03-23T11:45:29.606194Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606199Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "88e2e6a705d3fb71b966d9fb46dc5a4b015548daf585fb54dfcd81dc0bd3ebdc", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "46197192-f5c9-53ab-8c11-a765e383da3b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614998Z", "creation_date": "2026-03-23T11:45:29.614999Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615005Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e83908eba2501a00ef9e74e7d1c8b4ff1279f1cd6051707fd51824f87e4378fa", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "461a88fe-467f-5879-a1ab-0f061f0ae7cd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610898Z", "creation_date": "2026-03-23T11:45:29.610900Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610905Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8c95d28270a4a314299cf50f05dcbe63033b2a555195d2ad2f678e09e00393e6", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "461fb871-c844-5066-8f78-7de76b501241", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814602Z", "creation_date": "2026-03-23T11:45:31.814605Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814614Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a9293cc70bc90846a6a22e6b6b2db2c5c6a15c9607646a97277d0b2efc64191d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "462d378c-22a9-5cf7-a851-c72a93328ae8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464424Z", "creation_date": "2026-03-23T11:45:30.464427Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464436Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "52f3905bbd97dcd2dbd22890e5e8413b9487088f1ee2fa828030a6a45b3975fd", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4641820e-ef98-555c-80a7-466b06a7765f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817569Z", "creation_date": "2026-03-23T11:45:31.817571Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817577Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8bbfcfb9793d8c06af261bdb80838a5b8d4a6623bd99207511179e49af015eb7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "464a351e-996d-5c37-a861-927ae7688a82", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817187Z", "creation_date": "2026-03-23T11:45:31.817189Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817195Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "79d14e50c465c3d395d636876edbbbe305843c745180f6cda854db28c97d4990", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "466d4cc1-2fc4-509b-a5d9-a32a6e3b7f6d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980323Z", "creation_date": "2026-03-23T11:45:29.980325Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980331Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c2d2122ef7a100e1651f2ec50528c0d1a2b8a71c075461f0dc58a1aca36bc61", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4678d189-f7e0-5062-9e72-c7c2aa9675b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454153Z", "creation_date": "2026-03-23T11:45:30.454156Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454165Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "367035e87b8a361bdc51f55a2467b2606eb29feae3af892d8c17df1841c20b97", "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/bc5e020a-ecff-43c8-b57b-ee17b5f65b21/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4681e49b-3a92-5ed3-9955-eee7b359aa2c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622862Z", "creation_date": "2026-03-23T11:45:29.622864Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622881Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "542cd21b0c835b818e6b2eea2efe5b340ff3d554b2b7e13af084f0817cc920fd", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4688935a-aa68-54bb-8403-ccd265f93dec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831730Z", "creation_date": "2026-03-23T11:45:30.831732Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831738Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "69e26ad15c0a8128af8b33d0eed0674137f040386fba9bdb2951f5316380047f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "468b5f63-5c34-568c-a2ae-1478c843abb9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816845Z", "creation_date": "2026-03-23T11:45:30.816849Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816855Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "63865f04c1150655817ed4c9f56ad9f637d41ebd2965b6127fc7c02757a7800e", "comment": "Vulnerable Kernel Driver (aka CP2X72C.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "468ef357-2cbb-5060-a4fe-f2c4969e2a73", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472781Z", "creation_date": "2026-03-23T11:45:31.472785Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472794Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18d775e0c20385cbf3960af4f34f692413d079c65d0a395cd5666aea1ba2abf0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "469ede74-dea3-54f0-aaf0-86af1b795905", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453072Z", "creation_date": "2026-03-23T11:45:30.453076Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453084Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8b688dd055ead2c915a139598c8db7962b42cb6e744eaacfcb338c093fc1f4e7", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "46a13a09-3ebe-5bec-95c1-3ba9bd0bc34b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475945Z", "creation_date": "2026-03-23T11:45:31.475958Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475968Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "338640f5bd468ab9235be611cd141dd55bc90b90f4c1d182b81ee28946870cf6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "46a861e5-7908-547a-8e1f-eb47b8277b7b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612868Z", "creation_date": "2026-03-23T11:45:29.612881Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612887Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b8fcc8ef2b27c0c0622d069981e39f112d3b3b0dbede053340bc157ba1316eab", "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "46aa5cbc-c18c-5ee4-bb6b-7c2aeb979b60", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473608Z", "creation_date": "2026-03-23T11:45:31.473612Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473623Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3729b57e32e9e97a62afe6ded0f9df82680df58165727a6f89470a29631364f0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "46bd6960-86b7-5e4c-84e2-5ee8abe6019a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822264Z", "creation_date": "2026-03-23T11:45:30.822266Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822271Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b4341b5814bf1b0291739f00c359f9dc1e3b8a66dede099086f9760f7f4e0885", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "46c130a2-b83f-5a8e-b4f7-d96b98955594", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824258Z", "creation_date": "2026-03-23T11:45:30.824260Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824265Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "31a0a87bfcfbd1e3b11d7b243d00afa64e2c929650abd4f25bbbab6076a09eb5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "46c17287-e333-57c2-ba23-9c41a3043188", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486830Z", "creation_date": "2026-03-23T11:45:31.486833Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486842Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8f4fce3299c057b842729aeeeed7357b9e49d39eb7cd441d8c27429c0e6f5344", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "46c4b987-8405-5e51-abe3-16979c32d9e4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463241Z", "creation_date": "2026-03-23T11:45:30.463244Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463253Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f98492c92e35042b09032e3d9aedc357e4df94fc840217fa1091046f9248a06", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "46c60627-4024-5982-a0dc-53158bbd3bb2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492303Z", "creation_date": "2026-03-23T11:45:31.492305Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492310Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f8d010b6ac526ca64bd8e83b85f70d012e0c70f9fef7a994c81b23374cabdfd6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "46c9f10d-bef5-5fc8-ad27-ab886dc9f099", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609111Z", "creation_date": "2026-03-23T11:45:29.609113Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609118Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cfc5c585dd4e592dd1a08887ded28b92d9a5820587b6f4f8fa4f56d60289259b", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "46e1caab-e832-52ef-a626-e70f095ffa09", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146331Z", "creation_date": "2026-03-23T11:45:31.146333Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146338Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f831d25420ac04def39ee82c27d04a399c5c190c0e0b46f3ae9f633af9c67f7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "46e448ef-039e-52ed-add9-8a1b75817393", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822493Z", "creation_date": "2026-03-23T11:45:31.822496Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822505Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "478d8b424aea58c61633bd61bfb5c869b7b6657bec5c0e94b94ad420ead4087f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4700c6d9-95c2-53eb-8f37-fcd863c9d622", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831109Z", "creation_date": "2026-03-23T11:45:30.831111Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831117Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "866d0e5b9ee58fbd240988ec6339f4969e8f07f1c2db0f41aa5051d1a2cdb0d1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "471c270b-b1f9-5924-8e0f-9ae7d30f098c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617626Z", "creation_date": "2026-03-23T11:45:29.617628Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617634Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "43c44fde2c29ea68e5af2c7684d069ae0ab94c9f0e790c5530d17ac3be7d4076", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "475d0c41-fe6d-5f32-bd5d-800a1ba62fa2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807714Z", "creation_date": "2026-03-23T11:45:31.807717Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807726Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9d072f75fb30b7e26a0b4fd3b424b98ca0d027663ca4a7e93231d6113ed006d1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4777c8c4-651e-52b8-8538-302579303eb8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973755Z", "creation_date": "2026-03-23T11:45:29.973757Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973763Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "76e807b6c0214e66455f09a8de8faad40b738982ca84470f0043de0290449524", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "47877298-f828-54f3-815a-98a92bd7012d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160854Z", "creation_date": "2026-03-23T11:45:31.160858Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160865Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea49294c0fd55e801029f6d91fb7214e430129847f000703f64ab55dea5c6383", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "478c5bcf-0e8e-52ed-bd6a-a6848fe623ed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485103Z", "creation_date": "2026-03-23T11:45:31.485107Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485117Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a8e00fc3b744f3e5d3d92540224f47ef464dccb2be3643cb3edfe6b2c8190791", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "478efeeb-cfb1-5749-b6c5-bd400eed0311", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461070Z", "creation_date": "2026-03-23T11:45:30.461073Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461082Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b749566057dee0439f54b0d38935e5939b5cb011c46d7022530f748ebc63efe5", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4793c542-0ab5-57ca-a27b-eb5f6d91cda6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488908Z", "creation_date": "2026-03-23T11:45:31.488910Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488915Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "87905c83e18400b2f15f26e8e22ec9e245778f8e35d085b3277c044eae9cc4d3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "479477a2-1417-5663-927e-489e9e90c8b3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818291Z", "creation_date": "2026-03-23T11:45:31.818295Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818303Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8aef476014f44450ac2b1bd46946473f51aa6cba2fbfa0b65d9fa68d34398def", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "47a88448-4b89-5a9e-8cef-a3633f100845", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476707Z", "creation_date": "2026-03-23T11:45:30.476711Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476720Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9ce5188745ffcb5dc8304dac97cd037360600d8eb4739cfdbfb06bcd0efd72e4", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "47af286e-82b8-5ed2-8f97-ff83ded88a8a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830634Z", "creation_date": "2026-03-23T11:45:30.830635Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830641Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b19f6fac202bb7f878a79d1be3f8631e5dff44560692235f31deb68710148bec", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "47d3467b-4e82-5941-817e-eaff6e052a0a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150142Z", "creation_date": "2026-03-23T11:45:31.150144Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150149Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee768d53efcca87b44c6d6b0e306059acef1a481aa5e02694b8a353890cbf6f9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "47eafdb3-ec10-58cb-800c-26f4596fd205", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477898Z", "creation_date": "2026-03-23T11:45:31.477902Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477913Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "82d6dc7fae155d0589a55a88a1f91d2ca48f7aaff316390eb70f7598eb1cb659", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "47ec7d52-a4df-5b2f-aa92-c188d6e37d52", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974557Z", "creation_date": "2026-03-23T11:45:29.974559Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974565Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a553ba125adf00a769718d5cd26ed1a59b5e397956ebc6163973b10fe8c58214", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "47f34d50-d3bc-5bfe-ada1-766c5049aa54", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144020Z", "creation_date": "2026-03-23T11:45:31.144022Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144028Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "be3eff65d045b8da69a4fff97851914c9593b28eb0e1341752c2b5b6a77b3e60", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "47f47acb-0eeb-5f94-b6dd-bcdce46a3c07", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833561Z", "creation_date": "2026-03-23T11:45:30.833564Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833573Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "54244d2b495401912a0f7957e11f9b9a275e10237fc2b37c899e453993f3fa33", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "47ffc318-34ec-5cca-8272-5d0a36307a97", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824203Z", "creation_date": "2026-03-23T11:45:30.824205Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824211Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d52cb77b427ddb1227990d84e670ec4d1dd3e5c87ffe18567fd384eab09ec6ff", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "481457c6-2042-5d84-a37e-4bcf33c2ec79", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823967Z", "creation_date": "2026-03-23T11:45:30.823969Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823975Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e545e92fbb223dee4b62ff7f9ae11ad06ff36be47b6ca9eb4f40bf6f08de8d21", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "482b0e84-f935-5bed-a66a-76ba67939a18", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144037Z", "creation_date": "2026-03-23T11:45:32.144039Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144045Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c3d48dddef790a45ef9feaa5978ec90c9cd4b2de4746896c446ffa08d488170a", "comment": "Malicious Kernel Driver (aka driver_c3d48ddd.sys) [https://www.loldrivers.io/drivers/f6c08b8a-1d25-4bf1-9d4f-5368c1f6cfe7/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "482b9f57-75f4-5c0c-bce6-3bb7c5ce2388", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969558Z", "creation_date": "2026-03-23T11:45:29.969560Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969566Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a4680fabf606d6580893434e81c130ff7ec9467a15e6534692443465f264d3c9", "comment": "Vulnerable Kernel Driver (aka HpPortIox64.sys) [https://www.loldrivers.io/drivers/13637210-2e1c-45a4-9f76-fe38c3c34264/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "48364e33-fabb-5d9f-97ea-ccfc5eabf618", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481151Z", "creation_date": "2026-03-23T11:45:30.481153Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481159Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "34f26fbfb72329cbb7f25d2b40cb0f553e1a80373972bcdad62c3c6284d5b2b1", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4852904d-6fe6-5184-8cfc-08fd494f03ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828547Z", "creation_date": "2026-03-23T11:45:31.828549Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828555Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ea8dd91131592f6017578965305a4caf61e7430e8d2c31ef823e2da45a93a7f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4858ebcf-be21-5624-bffb-4d039a11658d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826629Z", "creation_date": "2026-03-23T11:45:31.826631Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826640Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "85c83185fc68bf096dad74ab1264417c4f223116e5053043d05bff4b7414b7ea", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "485b4a24-14e8-508f-a5c3-6b068ee699ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.478910Z", "creation_date": "2026-03-23T11:45:31.478914Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.478925Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2b3013268634b4bac0fd3f7ab36c71be8f858c767c5955577ddfe91b5ad22e78", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4860f692-8954-57a0-bfd9-b649e9a60546", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828779Z", "creation_date": "2026-03-23T11:45:31.828783Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828791Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9450aa820c5a58e5786861e4c5f3df3c96939844a9f134e6b190e71d0ab098f3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4870a635-d182-5af1-b01b-3f4c82e68157", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985251Z", "creation_date": "2026-03-23T11:45:29.985253Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985258Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd53f7e910ed37bf11a473c116fc33d7799f25213dd4e0191085040eb45c3e4e", "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "48715460-90b7-5f09-8c2e-1b5002af8fac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975974Z", "creation_date": "2026-03-23T11:45:29.975976Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975982Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e2606f272f7ba054df16be464fda57211ef0d14a0d959f9c8dcb0575df1186e4", "comment": "SystemInformer driver (aka systeminformer.sys, formerly known as kprocesshacker.sys) [https://github.com/winsiderss/systeminformer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "487ada8e-895f-5e5a-91f6-6784419a6c68", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979955Z", "creation_date": "2026-03-23T11:45:29.979958Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979967Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fd8a5313bf63f5013dc126620276fb4f0ef26416db48ee88cbaaca4029df1d73", "comment": "Vulnerable Kernel Driver (aka nt3.sys) [https://www.loldrivers.io/drivers/d5118882-6cdd-4b06-8bf4-e9818f16137e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "487c563a-517b-5ac7-b02d-c41443bf20ac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469340Z", "creation_date": "2026-03-23T11:45:30.469343Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469352Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "29b3f3f315179d30fbe75de7b59f09bc7452e6b538ff02b5252c3ee7b26eccab", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "487f66f2-e6a4-5d7e-8cd7-33d9656a7c8b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468227Z", "creation_date": "2026-03-23T11:45:30.468231Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468240Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5ffba52ea8bba7aeaf9fb32e1ba97b5bbd5c31739d594e722d9e89907dbb5cdd", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4887ca8e-4fde-5c0b-af84-6374e77f189a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607526Z", "creation_date": "2026-03-23T11:45:29.607528Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607533Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18712a063574bfec315d58577dfe413ab45b650e54747d1e18a56c3c7337a12c", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "488cc101-b4c4-5838-8a6f-2b030729e9ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973165Z", "creation_date": "2026-03-23T11:45:29.973167Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973172Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d378162a47648bed192270ab4ddd67c99b4ebe8093a267fa1fe1e092559504b0", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "48a52304-d193-5e83-9d5d-026ae04be497", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472183Z", "creation_date": "2026-03-23T11:45:30.472186Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472196Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "be683cd38e64280567c59f7dc0a45570abcb8a75f1d894853bbbd25675b4adf7", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "48a9e746-657a-5bec-8196-f3249693a63f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611762Z", "creation_date": "2026-03-23T11:45:29.611764Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611769Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ded2927f9a4e64eefd09d0caba78e94f309e3a6292841ae81d5528cab109f95d", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz141_x64.sys) [CVE-2017-15303] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "48b6a7d1-ec7b-5400-b308-4bd76608cee3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976606Z", "creation_date": "2026-03-23T11:45:29.976609Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976614Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3325f541c9930a321930853e0d7f0f4c35ba99f99a97bfe275c60248957720fb", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "48b6c077-8071-5316-bd5f-a394196bd70b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159031Z", "creation_date": "2026-03-23T11:45:31.159033Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159039Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8b13218595ab037f196cd60fcb63c508dfdb297dc9ec0e1503c98c889bd261e5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "48bea4f6-2d8f-59aa-83e4-651b7fb1f338", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495474Z", "creation_date": "2026-03-23T11:45:31.495476Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495482Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f94cdfde51e553422161966273904386e78ec50440b3b87453dc272c96e07e3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "48bffc64-bfa0-5d18-a704-505016c9a4fe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818155Z", "creation_date": "2026-03-23T11:45:30.818157Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818162Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bd3cf8b9af255b5d4735782d3653be38578ff5be18846b13d05867a6159aaa53", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "48c1d90d-dde3-557e-b5e2-7f6012d9b58e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147448Z", "creation_date": "2026-03-23T11:45:31.147450Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147455Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "893dc1f05094678d99431e580ae49b12980f8e17faf91716b620920a2ca70f87", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "48cc104e-8ecc-58cf-9e7b-1aae6b015f13", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971470Z", "creation_date": "2026-03-23T11:45:29.971472Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971478Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e428ddf9afc9b2d11e2271f0a67a2d6638b860c2c12d4b8cc63d33f3349ee93f", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "48ce33ef-d4f2-5ea4-b09c-2e7aee54ed7c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978153Z", "creation_date": "2026-03-23T11:45:29.978155Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978160Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f8236fc01d4efaa48f032e301be2ebba4036b2cd945982a29046eca03944d2ae", "comment": "Malicious Kernel Driver (aka 0x3040_blacklotus_beta_driver.sys) [https://www.loldrivers.io/drivers/8750b245-af35-4bc6-9af3-dc858f9db64f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "48d79238-e8c3-5271-a44f-d04812bc4c32", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828525Z", "creation_date": "2026-03-23T11:45:30.828527Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828533Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7ce8b50aafe609aa99089555ef270fd5add09356324c4dc48c4ee5f61abf6a38", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "48fd3df5-707b-5fb8-8369-ed3e8db97554", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487975Z", "creation_date": "2026-03-23T11:45:31.487976Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487982Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18d5c494049fae47cc073a96d01ab43209c44641e3f09901273927fb08cc02b4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "490119f2-8d61-5531-b267-4182f549cab0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616834Z", "creation_date": "2026-03-23T11:45:29.616837Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616845Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7ccc32e11372896cc01d7780e1176ed6fedd17f846001bc3bf78699e4448105f", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "490b8a80-0607-58ee-b194-48f707d73dab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454848Z", "creation_date": "2026-03-23T11:45:30.454851Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454860Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd4fedd5662122cbfe046a12e2137294ef1cb7822238d9e24eacc78f22f8e93d", "comment": "Vulnerable Kernel Driver (aka NICM.sys) [https://www.loldrivers.io/drivers/0f8e317e-ad2b-4b02-9f96-603bb8d28604/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "490c18e2-13eb-59a5-8374-d2eb299a928c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146081Z", "creation_date": "2026-03-23T11:45:32.146083Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146088Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "38050334f2043b6f42fccb934b4eebc9211755a0e9ad1485740351a272696f71", "comment": "Malicious Kernel Driver (aka driver_85ca0dcd.sys) [https://www.loldrivers.io/drivers/e1c29414-5b5b-44f4-84cc-e6f55d9a23c6/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4911d9dd-a781-5b78-8c6c-1a98bd1d257e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818505Z", "creation_date": "2026-03-23T11:45:30.818507Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818512Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bae4372a9284db52dedc1c1100cefa758b3ec8d9d4f0e5588a8db34ded5edb1f", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4924b956-3015-5281-bb7b-fe741d987855", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830771Z", "creation_date": "2026-03-23T11:45:30.830773Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830778Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b3537166808a46eacd98c3b96419b586ce6b94a02b7694ade5f1333cf83069a7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "49258966-1a5c-578e-8491-061c83062006", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971016Z", "creation_date": "2026-03-23T11:45:29.971020Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971028Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "931e4d6f7f04b122bc5bc6a61fb4e0186796623f4fc72d0c42ccfa886f1c5fb2", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4927940f-fae7-5a26-965e-fec21042e33a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498442Z", "creation_date": "2026-03-23T11:45:31.498446Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498454Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e33fc043d24f4ec16763c65a424429fb316b0ffb668271b8f3d3edb58b164ae3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "492cd1fc-24c6-5ab0-adfd-752fa5f349f5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619850Z", "creation_date": "2026-03-23T11:45:29.619852Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619857Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "22afee6f0ec783d59ef4f5d6c189b78fa26302f0ed09670b7bbc9bae26bdb0e5", "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4951b748-bc81-5db0-9931-556b1ba694d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141540Z", "creation_date": "2026-03-23T11:45:31.141542Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141548Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0dff65fb3b2ee96454e641f57a416159d1993c0bec3796aa96b79d9e1248f354", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4957d8c1-c589-50a6-8978-c784de79dec1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477099Z", "creation_date": "2026-03-23T11:45:31.477103Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477113Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee2e35139eedef641adfb4960e647d41e2f12f9fbb995404d30f69d13775fe4c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "495b8d86-bdb8-5629-bcf4-bd5266f8beba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819317Z", "creation_date": "2026-03-23T11:45:31.819320Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819326Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "037cd03cf102c226c51d266f9d35a4bd8aee3e07fac0e07a25e9def9db50e101", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "496b71c8-12ed-58e3-aa03-f02ffa7f546e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832169Z", "creation_date": "2026-03-23T11:45:30.832171Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832177Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cc871d60b9e47e6f3b41abdbc43e7754888d9c72e11877188919582cbba266a8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "49722c51-7f78-546d-925b-fc93bab9f384", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817714Z", "creation_date": "2026-03-23T11:45:30.817718Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817727Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8fe475d3082a0226ae9fa945542ac3e0cb5214c0f44193dcff12514cadf52101", "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "497b38a1-ddad-5c72-9e6f-3f2f3277a6d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809901Z", "creation_date": "2026-03-23T11:45:31.809903Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809910Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b411b159a3b4de03f801fe44f1712a5881f8ed9640cae3ac1a4605972df08ab0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "497f875d-8af8-5196-94ab-af6304af35e3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476968Z", "creation_date": "2026-03-23T11:45:30.476972Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476980Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "30accf1de5969ff5bf958786b9c9deb9001d1a19d121aac8b3c92c5b463a087e", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "499da550-17d7-53bc-9324-ca8bca8375f4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616703Z", "creation_date": "2026-03-23T11:45:29.616705Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616711Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f9c290ffc007e94fb61aecff42d267c1e626ec7939025b1a7d7285441d1c490d", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "49b1d6a8-50bf-5d5b-83f9-a81ce874666d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981093Z", "creation_date": "2026-03-23T11:45:29.981096Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981101Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c0ae3349ebaac9a99c47ec55d5f7de00dc03bd7c5cd15799bc00646d642aa8de", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "49bd1ec5-5af3-5f87-b261-9b4fea7c94df", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484025Z", "creation_date": "2026-03-23T11:45:31.484029Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484038Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5339fb0bd4386b1c0606e67b43971737f2758983f745b772975ac04fcad7c6ff", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "49c6d95a-5d8d-5aa7-a881-6f13903df38d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152603Z", "creation_date": "2026-03-23T11:45:31.152605Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152621Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e32cf0b4a39994f1a269d04db6724b5d2561620a0a69ca9e0e9c8e77461ba959", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "49cf91f3-7f95-5919-9f88-573a2a808fba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982590Z", "creation_date": "2026-03-23T11:45:29.982592Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982598Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "954789c665098cf491a9bdf4e04886bad8992a393f91ccbca239bff40cc6dca6", "comment": "Malicious Kernel Driver (aka daxin_blank5.sys) [https://www.loldrivers.io/drivers/0590655c-baa2-481a-b909-463534bd7a5e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "49e9e1a8-d3fd-5fef-aa68-c03650b99b6b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611481Z", "creation_date": "2026-03-23T11:45:29.611483Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611488Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "16398965e9cea179b2e5ca884e3af032dece08d4ef33bdd83234ee441d71a5fa", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "49f7cb42-d428-552d-ac24-0675ceadd54c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619405Z", "creation_date": "2026-03-23T11:45:29.619407Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619412Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ed68f30f8246730c2b57495ed1db1480350d879b01d070999d35f38630865f5c", "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "49fa907d-46c3-5f32-ac96-4dc766ff34b3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607112Z", "creation_date": "2026-03-23T11:45:29.607114Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607119Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "filename", "value": "PROCEXP152.SYS", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "49fd9125-5efd-5e05-b079-f1e2d3104437", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612300Z", "creation_date": "2026-03-23T11:45:29.612301Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612307Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1a4f7d7926efc3e3488758ce318246ea78a061bde759ec6c906ff005dd8213e5", "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4a20e869-0796-5ca6-b994-d781bb8ef324", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831290Z", "creation_date": "2026-03-23T11:45:30.831292Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831298Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "789854191b0b6550656d0f5f939fb8213ac3d7e32620fe794af66f529819a197", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4a3da3a0-1dec-5a35-ba5b-100979e858a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610655Z", "creation_date": "2026-03-23T11:45:29.610657Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610662Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "900dd68ccc72d73774a347b3290c4b6153ae496a81de722ebb043e2e99496f88", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4a492d3a-efd6-51b0-9877-4bc191f4e884", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142452Z", "creation_date": "2026-03-23T11:45:31.142454Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142459Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0b112d137a73e931e1eac4d66d981cc5750e095741a97970bc37e4063b6edbc0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4a4a32c4-64ce-502b-be9c-7516978f4d6f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968648Z", "creation_date": "2026-03-23T11:45:29.968651Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968656Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6521a35800da601f76fe2a8270f6cac17eb491535abf362669f4e2e6c8e155f7", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4a5ba789-a8da-5098-a952-17498fff2d31", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832606Z", "creation_date": "2026-03-23T11:45:30.832608Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832613Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d30609e8e3519fe199762adfc696ccccd9b685a7377ca18addd342c15fa28c6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4a65b4cf-74fe-5492-849f-706b49a8f0ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968686Z", "creation_date": "2026-03-23T11:45:29.968688Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968694Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6fb5bc9c51f6872de116c7db8a2134461743908efc306373f6de59a0646c4f5d", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4a6d894d-a175-5fbf-b094-963679cf16dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821106Z", "creation_date": "2026-03-23T11:45:30.821109Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821118Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "386745d23a841e1c768b5bdf052e0c79bb47245f9713ee64e2a63f330697f0c8", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4a6e72cd-c4a9-5f80-8082-15041d7ffcb4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606505Z", "creation_date": "2026-03-23T11:45:29.606507Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606512Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fa959c48c055ec149d434a5adeb9f9938d1c260a65ee8a4ea1d67bfbdceab83f", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4a7b1e46-04f3-59d2-a30e-bdf5132eff22", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.471597Z", "creation_date": "2026-03-23T11:45:31.471600Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.471609Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cb53959c71aa4cc446e6424b17440292c77d6c7fa88ce9503670a0a0cbe8ccb7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4a89f099-894f-5d46-8871-bbed0765c18b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981454Z", "creation_date": "2026-03-23T11:45:29.981456Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981462Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8bf01cd6d55502838853851703eb297ec71361fa9a0b088a30c2434f4d2bf9c6", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4a8c4c2d-8dee-5211-a23e-07344c9a4799", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457689Z", "creation_date": "2026-03-23T11:45:30.457693Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457702Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ed617d4c50288921a6a760de19db1633bd8172421109dcf68082c67db085ddb1", "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4a8d2828-2537-581c-bdfe-f4453f0201c8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477461Z", "creation_date": "2026-03-23T11:45:30.477464Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477473Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "51480eebbbfb684149842c3e19a8ffbd3f71183c017e0c4bc6cf06aacf9c0292", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4a8d88c5-83f7-5be6-b948-034701a6b94d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821217Z", "creation_date": "2026-03-23T11:45:30.821220Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821229Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "468b087a0901d7bd971ab564b03ded48c508840b1f9e5d233a7916d1da6d9bd5", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4a8e35bb-b29a-5e05-bdf6-58c86bee1328", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471076Z", "creation_date": "2026-03-23T11:45:30.471079Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471088Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "785723a3afe96876382524a9e90984f379c41521cd1f86a2172314ad58785e4f", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4aae35d0-68bd-517a-bb7d-f2be35bb1a96", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618694Z", "creation_date": "2026-03-23T11:45:29.618695Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618701Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e1f20ceb2bfe9f38b50d6c997dbad032b2a79937ef6b3ce41b34bb74fbd24db", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4aaf35c8-e06b-5a48-9c23-80e82684ebfa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985144Z", "creation_date": "2026-03-23T11:45:29.985146Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985152Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f2b95fc91fe33c1995c49c35e32124ece7d958ed7d3b7a5f325f2a30454b9256", "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4ab6ba8b-c8cf-5c3c-947f-b5e3a126accc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153771Z", "creation_date": "2026-03-23T11:45:31.153773Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153779Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7a044042ef9cb8e015981ce8d1d9853340acf7414d7d18a3ab7e480edcd90349", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4ac3a019-1408-5e50-8d29-5a1e7d61a37d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143704Z", "creation_date": "2026-03-23T11:45:31.143706Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143714Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8e391e12eb754d8cfe0e566c5ced36118048e963d8127e2333cd5fcb2f658622", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4ac4afb1-8bf5-54d4-9d77-90cb894dbd91", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608722Z", "creation_date": "2026-03-23T11:45:29.608724Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608732Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8aeed1480e8c4dd4a26a6717fb274ba36054000acb49e8423c20b5f2ebb3851a", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4af69396-f7d3-5d50-861b-bb35b60df45b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813806Z", "creation_date": "2026-03-23T11:45:31.813809Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813814Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "02b8d6e0d3669fee150cd0a79d5413eb8ed3fd3ab5e70329e7f488be40d1d8a8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4b0b3a7a-d721-5ad4-9dc8-3d732f42ad0e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819895Z", "creation_date": "2026-03-23T11:45:30.819897Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819902Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7c8d7bb3a272afe7fb737bd165fe9bd8f8187f1835289eb66d471cdced74e950", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4b152d9b-6592-53e9-91b4-a2083e2e26d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151160Z", "creation_date": "2026-03-23T11:45:31.151162Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151168Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "281ae0003e98de2f4b1a10255142ee54631e04b2b8a30f4ef3014a00d98a04aa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4b16ac1e-ae9e-5d2c-a45f-0763597a1dd6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811292Z", "creation_date": "2026-03-23T11:45:31.811294Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811299Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cf50b862cc00efe4bbf7a707d7eaf70657ec0f6f127d0d462248497d19cdc583", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4b177385-685d-50b7-8542-5806cc73b5a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605304Z", "creation_date": "2026-03-23T11:45:29.605306Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605311Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c029ac703913ff22930856aaeaf992f18a602f282c001252a1a8172ecb0b766", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4b18c008-e0be-53cc-b712-bd8e6a86fab0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813914Z", "creation_date": "2026-03-23T11:45:31.813916Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813923Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0ca73650cd34c9701d64c67d9416c5cebf077607d24e2dddd5d98af25a966a5f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4b20fba9-5f83-5d90-b3c2-4b6378790338", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489854Z", "creation_date": "2026-03-23T11:45:31.489858Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489866Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "46bc64031ea94d3cd93b0d2dcb90c38e90bdd27b4ffe2fc74b56a82a139aa3f1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4b3438f9-d5a2-5195-9384-83a6e1f61284", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820163Z", "creation_date": "2026-03-23T11:45:31.820167Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820175Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c97c503b95faa2aa2a4f2345396f81716343bcba32f05ed0a17e2b722ca62157", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4b35bbc4-8e3b-5130-9c02-5dc9e8408b57", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481384Z", "creation_date": "2026-03-23T11:45:30.481388Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481397Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "793a26c5c4c154a40f84c3d3165deb807062b26796acaae94b72f453e95230d5", "comment": "Vulnerable Kernel Driver (aka phymem_ext64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4b3a0e87-5892-5fa4-b12c-f92f788f0acb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606368Z", "creation_date": "2026-03-23T11:45:29.606370Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606375Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e9922ff0332701c81667b2f34538ded46f1f42c4638c22da3834f3d86452c27", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4b3fb118-81a4-5284-9bae-0e1af6952b42", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984105Z", "creation_date": "2026-03-23T11:45:29.984107Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984112Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9", "comment": "Vulnerable Kernel Driver (aka CupFixerx64.sys) [https://www.loldrivers.io/drivers/c98af16e-197f-4e66-bf94-14646bde32dd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4b42c871-ff82-5b0e-a97c-052198bba4a7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975711Z", "creation_date": "2026-03-23T11:45:29.975714Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975723Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fcdf0eaf9c8effa2786c82e774974f1ef4098dcd376461bad37fd4168dcab52b", "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4b51ff34-a070-5c0d-afbc-801b7f4e42f3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605102Z", "creation_date": "2026-03-23T11:45:29.605104Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605109Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c7b1bb39dcd7f0331989f16fcc7cd29a9ae126bee47746a4be385160da3c5a29", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4b587255-617f-5ebf-9419-0811f20c50ad", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481204Z", "creation_date": "2026-03-23T11:45:30.481206Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481211Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5dc477cc45e4c1421296373adef9f5795fb9f5035f1400c72bb37678ad7f8954", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4b67b1f3-b108-5fe5-8bf5-657ec0f2523c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817444Z", "creation_date": "2026-03-23T11:45:31.817446Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817452Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c4c934b9604efe82b1cdb01837be62bc392988c0a975fe3945865e7463a49950", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4b7105fc-3403-5c76-8a67-812f3382e625", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810698Z", "creation_date": "2026-03-23T11:45:31.810700Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810706Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "146b7aa22d47b0585c5f6a41b4ca8acff056d26fa62304675199195cd62a40c4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4b75725f-9d4a-5ce7-840b-84d7f0cc8fa0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813561Z", "creation_date": "2026-03-23T11:45:31.813564Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813573Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "045ac1a3b28a774ae92fc318b0370d3426a5db7d942e5113897ede9ec85888a4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4b80c240-d123-5a8b-8047-f3850b64d962", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975956Z", "creation_date": "2026-03-23T11:45:29.975958Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975964Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "251be949f662c838718f8aa0a5f8211fb90346d02bd63ff91e6b224e0e01b656", "comment": "SystemInformer driver (aka systeminformer.sys, formerly known as kprocesshacker.sys) [https://github.com/winsiderss/systeminformer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4b81ff99-5324-5f0c-a0c5-ad2246319012", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491920Z", "creation_date": "2026-03-23T11:45:31.491922Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491928Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c845b52bef8193d0187db0e1608f65807b46354fdd15a68fa2eca0a1462bcf2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4b92336f-68d4-5aff-98b2-64e1481e7a68", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456364Z", "creation_date": "2026-03-23T11:45:30.456367Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456376Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0aff83f28d70f425539fee3d6a780210d0406264f8a4eb124e32b074e8ffd556", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4b9323ef-6313-597b-b1c3-222e2908f2a4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472531Z", "creation_date": "2026-03-23T11:45:30.472534Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472543Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d0543f0fdc589c921b47877041f01b17a534c67dcc7c5ad60beba8cf7e7bc9c6", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4b9a7ee2-af18-5ca6-a77e-549b32760fc4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474769Z", "creation_date": "2026-03-23T11:45:30.474772Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474781Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bedb25c95cead7deb60ef18c753b65131d9b7dcd13846f09b011060042586213", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4ba330da-f486-56c3-a23b-ee1132d31427", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973199Z", "creation_date": "2026-03-23T11:45:29.973201Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973206Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "911541d26b605a97ba099563b9eb7e027c102f139dba5884a57df5a13cf3dcef", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4ba8babe-5961-5ccf-881d-7aed197ac336", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985759Z", "creation_date": "2026-03-23T11:45:29.985761Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985766Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4cfd9cb41a51b1e1fdfc9a6855323bf11a0baf18e5d8f0ee7480a8cb5be7c8ac", "comment": "Malicious Kernel Driver (aka malicious.sys) [https://github.com/zeze-zeze/CYBERSEC2023-BYOVD-Demo] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4bbecbf8-c13c-5415-a5c7-60f788426a9a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156997Z", "creation_date": "2026-03-23T11:45:31.156999Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157004Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ca407794a31a010d4cad09311293244c19607ac903d7c06c4e85e5e452af300", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4bc18ecb-5e36-5ec2-8c56-04096fed71a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476554Z", "creation_date": "2026-03-23T11:45:30.476558Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476567Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae85245fcb873d6fbf61f1923b8c10f0680abeaf2bf5527aef1c4a52aae321d0", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4bc21be2-c347-5872-b3f0-85636c24a00c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482058Z", "creation_date": "2026-03-23T11:45:31.482061Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482072Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "27576ab7a5003133e73f00e870ea29ba6fa07f886f56f9377df2fc02640dd6b4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4bc4daf3-3cf9-5b5d-8177-ea685cb64019", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495261Z", "creation_date": "2026-03-23T11:45:31.495264Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495272Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c74d5481c6de4b5020637777fd8ee8bf5d9a97bcfe15159594ae7af949a46e1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4bc87a01-5524-57e3-a5ee-19b10f1f013a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144092Z", "creation_date": "2026-03-23T11:45:32.144094Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144100Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3855b2df32e0eedec454b25e6e2da6b3df19c4b0f575e45bc06482d4ebce7551", "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4bd8e88e-50de-5d20-9b51-c5ae8cb2a7f8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832223Z", "creation_date": "2026-03-23T11:45:30.832225Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832231Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2511804c17a1224866da91f3b65105acbcb11e7b7b1fcc1e29609194a95df406", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4bdf2800-5255-50dd-9855-5b79ff1f718c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160363Z", "creation_date": "2026-03-23T11:45:31.160365Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160370Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "88bcd2c1f5e17bee1a61bdc85d7226ee5e90c7728460e83df3108ccb5158bddb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4bede8e0-e151-52ed-bb67-75c6633c271f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826156Z", "creation_date": "2026-03-23T11:45:31.826158Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826163Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7ba13222e25b49a99d01019af0f1378b0003cd71ae72b1ec7f512b269e86ec83", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4bf060b2-e23f-5480-be63-6f8ed10409ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809494Z", "creation_date": "2026-03-23T11:45:31.809496Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809504Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "afce06fe02c7c628be20bb7dd578659e94032a21f29ba7355a82381a3470c714", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4bf11efa-0f09-51b7-8ce3-5bfb70b71d45", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828654Z", "creation_date": "2026-03-23T11:45:31.828656Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828662Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4bbf8808277c2ef684de28e5bae57b9e230203b6b2cb66539cabdba0b0ecfad8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4bf54704-8255-512c-8fd5-e9955052c367", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478800Z", "creation_date": "2026-03-23T11:45:30.478804Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478813Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0e121d80264c51df9a6fca2f2201d75ccd4dc29d9566bbf0975bb05759e9c6c7", "comment": "Vulnerable Kernel Driver (aka Tmel.sys) [https://www.loldrivers.io/drivers/1aeb1205-8b02-42b6-a563-b953ea337c19/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4c13e5ba-205d-5f87-8372-56794702a727", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147350Z", "creation_date": "2026-03-23T11:45:31.147352Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147357Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f3674adfa8151ac0100793e988aec708b0e8a2ca155226c140d7885476f971e1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4c3181cd-bf78-5b6e-b273-cd3600bc8102", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148242Z", "creation_date": "2026-03-23T11:45:31.148244Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148249Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a41dc1a32edc8073ee13dee590762343acd252a29d1eddc77bb8faeac52a3fea", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4c326e83-7946-5af6-ae18-19a9c97600ac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835434Z", "creation_date": "2026-03-23T11:45:30.835437Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835446Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "88f52739de1bc336101fdc25aa7e82cbe497c0413993ba4b9ed387a588d7f1c2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4c3e2f13-067d-5240-a3d4-e5cdd9687e46", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141139Z", "creation_date": "2026-03-23T11:45:31.141141Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141150Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a73c288bd1f33f7c56d184588d072a3f548f31cfb5b48e1c53e1beb433cee2b2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4c41e7e2-ef7d-5c2b-9e6e-b88b58526868", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825799Z", "creation_date": "2026-03-23T11:45:30.825801Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825807Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "824370a49c9fbec55d79723417b9a97abbd613ed04e796a46ed7dc7a00bf1145", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4c422499-0305-50f8-94ae-1702d73c93a9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808211Z", "creation_date": "2026-03-23T11:45:31.808214Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808223Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3ee0dde4515bdb59defb7cc0fc31c0b04a7d72c81c42bde05a5694a7d3ff8f83", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4c42c62d-ad6d-557b-8f6d-2a11ba7f309d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972629Z", "creation_date": "2026-03-23T11:45:29.972631Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972636Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ef6d3c00f9d0aa31a218094480299ef73fc85146adf62fd0c2f4f88972c5c850", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4c43dbdf-1e8f-524e-a477-a86d93d47218", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499055Z", "creation_date": "2026-03-23T11:45:31.499058Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499067Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "15718b07267354eb5d30fa8ab0903b013af854303b7def4981724715fcfacdb3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4c5f353f-0b0f-5f7e-8104-78eb4a923c3b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818278Z", "creation_date": "2026-03-23T11:45:30.818280Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818285Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "db0d425708ba908aedf5f8762d6fdca7636ae3a537372889446176c0237a2836", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4c60f1ff-c593-5a69-9093-b120146da657", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141750Z", "creation_date": "2026-03-23T11:45:31.141752Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141757Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0e42df3a98ebb36cf1d90f71fd179625cded05c29519e6322a4bef1b06b3f685", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4c6dcf3b-6e07-5678-b802-c37b99f787c6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973252Z", "creation_date": "2026-03-23T11:45:29.973254Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973259Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e85d36ca271c4d65abc1cdfff0e629dc5d14edb5bf97669badbb40d2715c1d47", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4c704d4f-f6b5-57d4-bda8-b5903e870bcd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457099Z", "creation_date": "2026-03-23T11:45:30.457103Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457112Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e73bb03d54b40035558df2e990367a1c4e9c1ef8e980df6380a63f3bc23e6740", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4c7b05a0-da47-5f77-85f6-34cbb07a5a53", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488275Z", "creation_date": "2026-03-23T11:45:31.488277Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488282Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e81366817f6b3eb948e2e321a4f269d87577a4a28d93939502f5d48226dfa0a9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4cc183d5-8968-5e24-89aa-65bcb2d09cd6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159049Z", "creation_date": "2026-03-23T11:45:31.159051Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159056Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a7434d979a87f4e94b5dc7d4609527fe966875fea40cf0f74e359b6cbddd5d07", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4cdd3d97-4c28-577c-93d1-8cd9774c75fc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825160Z", "creation_date": "2026-03-23T11:45:30.825163Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825171Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab95c07bad9f17628528a8194d100eca63d82920c4da51c65183f537e748ddde", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4cf88e37-2007-59cb-aec4-ca7802c0b4fb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611983Z", "creation_date": "2026-03-23T11:45:29.611986Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611991Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8eed6b4a1e6f7dd66807beeb6ff71f8b34cd8c7777f1e31d326cb87593e8f836", "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d00eb26-b42c-5acb-8ad7-5daaff8264e1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160203Z", "creation_date": "2026-03-23T11:45:31.160206Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160211Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e8ba80ff4af6dd6c03c9db67b1130b034e93305440c3ca68d30126f0850e675d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d067e16-d124-5950-b195-9b7f9ce4be89", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491602Z", "creation_date": "2026-03-23T11:45:31.491605Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491613Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4e3c0b260d1fdaf2b0e3ebe7a7db4091f743cfda4f6ee1c5ec3a6be353beec9c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d11f3bd-0675-58c2-a6b6-22ecd17de901", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975378Z", "creation_date": "2026-03-23T11:45:29.975379Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975385Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "679de7449908838c031db59234cb4f482fbf5d27d7e02d0c30d5ad9d2f36495f", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d1a1987-284d-5c9c-86d5-c4021db29f03", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155171Z", "creation_date": "2026-03-23T11:45:31.155173Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155178Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "72ca07aafc94be8f6f6e5b37003b1645f26bd50fdb3a788e2a3191e0bbf78251", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d1f115f-34f7-574c-8778-2ad46a4bca65", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148936Z", "creation_date": "2026-03-23T11:45:31.148938Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148944Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0a07307d863085ae5779d8ba13dac5c3a4de25b93294e376775ae93c8d0845b1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d2990a5-9628-5e97-8050-da14994367cc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473829Z", "creation_date": "2026-03-23T11:45:31.473833Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473843Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2fd3d76efd5584382b156ca17fe96d0a1c951fee2a804044dc6325d8e85aeef5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d30f7c7-3bcf-5965-9ecd-e54e1027ad99", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495956Z", "creation_date": "2026-03-23T11:45:31.495959Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495967Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c58bc7080d7afb1ca252ea6790d2121f247d331f6e208690ea6c02f3d776499e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d403298-5d4a-59db-9f21-cca78b2a2c32", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827397Z", "creation_date": "2026-03-23T11:45:30.827399Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827405Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a484ffb9ea9148400fab505d1fedddff288cac81a739b93b2d58ea159e20449d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d4dce75-184a-558e-82fd-1b7dd315d7ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977314Z", "creation_date": "2026-03-23T11:45:29.977316Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977321Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1aa8ba45f9524847e2a36c0dc6fd80162923e88dc1be217dde2fb5894c65ff43", "comment": "Vulnerable Kernel Driver (aka netfilterdrv.sys) [https://www.loldrivers.io/drivers/f1dcb0e4-aa53-4e62-ab09-fb7b4a356916/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d514121-2000-54a1-94c8-05ec33751eca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144841Z", "creation_date": "2026-03-23T11:45:31.144843Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144849Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "227645825c296a3ab08734d67a704b17312d00faf667eea26ee4f89aa32b8545", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d5b0974-848c-5f46-a2ef-b08907062fa7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150738Z", "creation_date": "2026-03-23T11:45:31.150740Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150746Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d28a1a5e52f83e97e9437116cbecf0be4e650a157e7a6c98e4864ddf0780d40c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d5b8bdc-82c9-59ba-bb0c-09b749627086", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474180Z", "creation_date": "2026-03-23T11:45:31.474183Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474192Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "176a8291782aba65d9fd94b4eec5b413d1c47e83c9e2e892742a7105e74e34cb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d5e79db-a1b2-5766-91e0-d741b761d140", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604644Z", "creation_date": "2026-03-23T11:45:29.604646Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604652Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "08eb2d2aa25c5f0af4e72a7e0126735536f6c2c05e9c7437282171afe5e322c6", "comment": "Vulnerable Kernel Driver (aka mydrivers.sys) [https://www.loldrivers.io/drivers/d9e00cc7-a8f4-4390-a6dc-0f5423e97da4/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d5f5b2c-ab51-512e-9578-b3acb90a18cc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488045Z", "creation_date": "2026-03-23T11:45:31.488047Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488052Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "528f56c8a2caeee978bf462ae7ada5ecbfa8ca25f7d187fd9c7b660dbd0ca61e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d5fb6ed-fbbe-52aa-a80a-0b00a93d38f6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622019Z", "creation_date": "2026-03-23T11:45:29.622021Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622026Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "26b8e689a13d3434951559cff24fcfe55edeb7b78c7cc16db1a273c90aa694c1", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d60cb57-a381-532c-ae11-ae0166bdf93f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486553Z", "creation_date": "2026-03-23T11:45:31.486556Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486565Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6a919420de7c56f88fd329ddee21f36945175411028c3a5c392d3b007d62a6c3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d640f3e-01eb-5a8d-b0bd-738000942b15", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142952Z", "creation_date": "2026-03-23T11:45:31.142954Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142960Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a9a0fb0557ba307e5a05efa044f1ab83b349c367ccb0a5449cb5a0a31deaa2fd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d6b8e50-a927-50af-a765-f307dcf28c1c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833289Z", "creation_date": "2026-03-23T11:45:30.833293Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833302Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d8872bf582c3a4dd9736f52a16764f4de90260eabd0977a36bbd2b9ef735e7b9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d7bf2ff-3570-5108-a6c2-9df6b7d52aa4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497959Z", "creation_date": "2026-03-23T11:45:31.497962Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497969Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a285988e4c8281472bc465cc15a1318ac6dc70cb7a58ac0657400d0e5e199db5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d8b233d-a336-5618-8de3-37e652a37793", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483500Z", "creation_date": "2026-03-23T11:45:31.483504Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483514Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f74d59e46f8724eb43238e00ee0877b234e22de7a660f2c226d68ce21b663451", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d8ef3cb-ed8a-505d-afca-5cc8e059e556", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462612Z", "creation_date": "2026-03-23T11:45:30.462616Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462625Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8bce2afd04ec073143a2a4ba51671992451c8e747a84852458321f2d275b5433", "comment": "Vulnerable Kernel Driver (aka yyprotect64.sys) [https://www.loldrivers.io/drivers/12ccd18a-11da-495a-b4b4-98a2f2bff180/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4d9ed2bc-c7e8-5772-9465-017360104ab9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828387Z", "creation_date": "2026-03-23T11:45:31.828390Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828395Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "36f3dcbb114031b79e64f0650570c9248f08ecc000bac6d778f3df8cfdc7fc3d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4da00d52-f840-562e-9110-0aeca3bda106", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143729Z", "creation_date": "2026-03-23T11:45:31.143731Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143737Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "98576e60b9821f44004c5b6856c75c80607fd7cb42768dd133d192846e6d9c13", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4da6ec80-5183-5988-affc-28ac774fa1c2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829916Z", "creation_date": "2026-03-23T11:45:30.829918Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829924Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19efc37343ea49027413e197762220cdccb73103b08653b049ae9c0bf9d3cf01", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4db3007d-e59d-5f0f-8b73-f9de3d89e13d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156274Z", "creation_date": "2026-03-23T11:45:31.156276Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156281Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c92ddd3bd10344acda9a901384a86597cac3d1db8487b913574768a17dd9e8ff", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4db5b4de-3346-586d-83c8-30219a628cec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817373Z", "creation_date": "2026-03-23T11:45:31.817375Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817381Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b730f859033c3693864b75c93b57cbccb91d2438813ecd7ef535b9cb3b6dbcc9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4db6d26f-7642-5a7d-a433-68a3e667b928", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973182Z", "creation_date": "2026-03-23T11:45:29.973184Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973189Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e35d09a903d76810830aff2fc87bb3071026d982a334b3ee4c68f66cba865109", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4db76a93-28cd-5834-9ba2-dc6046084b27", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620513Z", "creation_date": "2026-03-23T11:45:29.620515Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620521Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "22418016e980e0a4a2d01ca210a17059916a4208352c1018b0079ccb19aaf86a", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4deaa4a7-0799-53a1-9616-db1afe385fb8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475476Z", "creation_date": "2026-03-23T11:45:31.475480Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475489Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cffe0eaa5a3dc73494239a44041bfe804bc2756f5f6466fb55d23fb79cdc8e37", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4defc3fb-9847-55c8-9de3-5c17d89c8bbb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611393Z", "creation_date": "2026-03-23T11:45:29.611395Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611401Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3b2a3b74127c7ecf095e0fe5a65af31b9701d2ba6dc2a4d87882de65d84842c0", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4df13330-7987-558d-94c3-e8f399123975", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143218Z", "creation_date": "2026-03-23T11:45:31.143220Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143226Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "53617059a1ca7a85c563f86f8102fab3faa7dcb24aad2f2e7da80b8295a02c45", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4df67c07-62fb-5b61-b6af-cf43e08fc5f4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468638Z", "creation_date": "2026-03-23T11:45:30.468641Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468650Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "30f9aca036adbcc15cace326e042ed3590f00045f66982afbf569d8fd9b6747b", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4e0049ee-4caf-52b9-ac43-53e05c2bd6f8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145090Z", "creation_date": "2026-03-23T11:45:31.145092Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145097Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "964f39b115ba8b3a0b8fb73427485c9ec308d33d50c7f07738257a7401c533d0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4e01b31f-8ef9-55ef-9458-971bfc126a35", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616470Z", "creation_date": "2026-03-23T11:45:29.616472Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616477Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f06fdfe50ebc8d1d2daf5811b66288563f26a09a2ec9c2a21e2a71ff19756062", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4e06ed7c-c8c1-5f24-89d9-f1842a1144c5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826543Z", "creation_date": "2026-03-23T11:45:31.826545Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826551Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "96e3b89240889b23351e68525bc12d9c5a9150bf8edece3debc58b4917a648d9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4e0902b8-376c-5d1e-94d9-8b0f2cfd7b9b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454448Z", "creation_date": "2026-03-23T11:45:30.454452Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454460Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7a1dfe962c0c714c35827f7cf19bbca693bb1e769037b06b5f86d7f33b723f72", "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4e0fd229-e5b0-5467-8ca7-c70fd462e0a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479530Z", "creation_date": "2026-03-23T11:45:30.479532Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479537Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b06dad9821beef3442cd9e775228baa56582a3a85c9d178693f3cf236623de17", "comment": "Vulnerable Kernel Driver (aka segwindrvx64.sys) [https://www.loldrivers.io/drivers/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4e2015db-1aec-53dd-bea5-1587cd5ad482", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611113Z", "creation_date": "2026-03-23T11:45:29.611115Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611120Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff0857f3e3f4e6248e169e9df3fdf4dc571bc65ec731cf11be2532d9405d95d2", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4e366dd1-0545-5d14-b9af-bd60eb5379b9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151304Z", "creation_date": "2026-03-23T11:45:31.151307Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151346Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5464daff8ea291c07bbfeeedd186ef81b5518239e9201c75580d94804b3bfe89", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4e40be56-e33d-523b-ac2d-7ca46452cd7f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968631Z", "creation_date": "2026-03-23T11:45:29.968633Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968638Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "608b352bef3e56480ede69c1641af11e5fac88e04e4cd776a9c5ae029a286b72", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4e521e0b-5950-5522-9046-c96f29c1ad0b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826497Z", "creation_date": "2026-03-23T11:45:30.826499Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826504Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3dde98fdf64982a6272ac0e91cfa5d98b0aa7bb856338de84fa7c5e2c44471ba", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4e56aa98-3812-53ce-9d40-b10dd4657ed8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617115Z", "creation_date": "2026-03-23T11:45:29.617117Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617122Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a4e850e7847499e7d4c2754f8a4973fc5b4adeb728e1e142d1d35d519edf3274", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4e5bed66-f133-5a85-988b-1f7be3a339e3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494275Z", "creation_date": "2026-03-23T11:45:31.494278Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494287Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "baf9a9d5cf80c5ecc293acb7655b654e943bd00aefc2afe0b805183be6d8a211", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4e5c5f9c-b694-5dc6-8172-961780824a95", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829540Z", "creation_date": "2026-03-23T11:45:31.829542Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829547Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "013d03802f367cd8c8d45590bb27d01672d91808b157611f687ac603be778dcc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4e5f6ef4-aded-5b93-9f80-00f6384bc5e6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827035Z", "creation_date": "2026-03-23T11:45:30.827037Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827042Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d31de75c30d650de31bfeb5748f7981960672aa2fc26c8b49ff02c75d1446cc2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4e628a5e-5f60-5e77-b938-14bceb58853c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977469Z", "creation_date": "2026-03-23T11:45:29.977471Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977480Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b", "comment": "Vulnerable Kernel Driver (aka CorsairLLAccess64.sys) [https://www.loldrivers.io/drivers/a9d9cbb7-b5f6-4e74-97a5-29993263280e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4e72d7e2-b53d-59b2-b3f0-fe421468eb51", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621829Z", "creation_date": "2026-03-23T11:45:29.621831Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621836Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "739c11fdb8673ab5b78f1a874daf5ba3faddb7910a6d4e0cc49abd8b8537333f", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4e7abd0d-7e89-52a7-9e12-99a66349cb11", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617833Z", "creation_date": "2026-03-23T11:45:29.617835Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617840Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a899b659b08fbae30b182443be8ffb6a6471c1d0497b52293061754886a937a3", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4e7d5263-a185-5503-8be8-ff7bdf445e25", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481922Z", "creation_date": "2026-03-23T11:45:31.481926Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481935Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b707f011d2e9a0d68513e7190ee788114fae3abacaf81ffbd6c187a71ab8d100", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4e80d689-e7f2-56ae-8e0c-0543046db358", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500283Z", "creation_date": "2026-03-23T11:45:31.500286Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500294Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d86fead83d85832f0fa80d7b5c752dd3742b2ac3573cbaf89d3e2f2e58fdbe3e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4e844007-3826-5800-9e31-3e204762f4de", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609576Z", "creation_date": "2026-03-23T11:45:29.609577Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609583Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0b15b5cc64caf0c6ad9bd759eb35383b1f718edf3d7ab4cd912d0d8c1826edf8", "comment": "RobbinHood ransomware malicious driver (aka rbnl.sys) [https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4ea2d991-9422-57c8-9d34-fe22c8ce425f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830089Z", "creation_date": "2026-03-23T11:45:31.830091Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830096Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e824ccb01e6df3cee8077e15440de5b00fe40ffea71b6ead64cef1512d3a08a6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4ea40022-e9c4-58ba-948e-f98c8bd6db23", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828419Z", "creation_date": "2026-03-23T11:45:30.828421Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828426Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4144020a979834bc64cb19a0e82daa99462ccb3629b7a6f7cc9cd2beaf5909eb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4eaa679c-df42-5f20-af10-74d8b9824439", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480488Z", "creation_date": "2026-03-23T11:45:30.480490Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480496Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5d8a10b966e30ee6a696ecc6809936411be7ff672593998693c6b1a58baf0e42", "comment": "Vulnerable Kernel Driver (aka GtcKmdfBs.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4eae0368-de5d-5c3c-91ab-7593b964862b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973415Z", "creation_date": "2026-03-23T11:45:29.973417Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973423Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7c731c0ea7f28671ab7787800db69739ea5cd6be16ea21045b4580cf95cbf73b", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4eb460e8-ecfb-59cb-89e0-eb144d1327dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612001Z", "creation_date": "2026-03-23T11:45:29.612003Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612008Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "24e70c87d58fa5771f02b9ddf0d8870cba6b26e35c6455a2c77f482e2080d3e9", "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4eba68d7-ecce-58d5-bddf-d0358daea3e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820643Z", "creation_date": "2026-03-23T11:45:31.820646Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820655Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1cf8b71409b1a00d032d9a62a90f50e3bc5e5b0d0963357d2cb20d48eb0cc32a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4ec44353-da03-55d2-8a5a-2061e4a3a66d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619439Z", "creation_date": "2026-03-23T11:45:29.619441Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619446Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8944a3f50f38d92d17b8cfe2e08201a79ea30f38812d18f28036e59789d3f58c", "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4ec5c141-60d5-5a40-af5d-ba2cc6b3cb61", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827344Z", "creation_date": "2026-03-23T11:45:30.827346Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827352Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e4e83f7397ed109520ed7651f57202cd7158317829a7b5ffb381e8caed4e42f4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4ed39125-ebe7-521f-9b53-879c593e1400", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976029Z", "creation_date": "2026-03-23T11:45:29.976031Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976037Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "62bd7f8922d8b4ee00d1aea58a885a2c10cbe4c4e51f567b033454aacf7c6b99", "comment": "SystemInformer driver (aka systeminformer.sys, formerly known as kprocesshacker.sys) [https://github.com/winsiderss/systeminformer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4ee58a94-1985-5751-81f2-acc544f27857", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807678Z", "creation_date": "2026-03-23T11:45:31.807680Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807686Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9e0c3b29e8e0118622b3f5fcdd104190329e2635660d8ff5870263ddf5d18d4f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4ef02bdf-82fa-521a-a0e1-436b4c0e8617", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145430Z", "creation_date": "2026-03-23T11:45:31.145432Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145437Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "39858843fe5f4c5b8969c6efc6817ba4e975be34cb8cab113456656e9b75f4d5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4efb9e1b-db17-589d-a053-97d5eee4920d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466214Z", "creation_date": "2026-03-23T11:45:30.466217Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466225Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "28f5aa194a384680a08c0467e94a8fc40f8b0f3f2ac5deb42e0f51a80d27b553", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4effe5cc-109f-5e72-89e7-29ed3d359cf4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982467Z", "creation_date": "2026-03-23T11:45:29.982469Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982475Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e2e17e6e222316a4c70dc931d5c550466eb5d3e325794731002792e5587dc29d", "comment": "Vulnerable Kernel Driver (aka Lurker.sys) [https://www.loldrivers.io/drivers/3fb743b8-d3ed-4873-9c95-e212720dde21/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f0383de-b72b-50e7-b0a2-224d9fa9a78e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823790Z", "creation_date": "2026-03-23T11:45:30.823792Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823798Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a2b3fb7a9a431d45d9225424448aed87b71f5dc7cf8a2c1591a77c86971becda", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f0c1cfd-8272-5153-9d6d-279f364bbf6b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824321Z", "creation_date": "2026-03-23T11:45:31.824325Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824332Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c596759c37c74fa2c6f423c86e3fbc7e69aa6d0ebf6f26b2ccd1c774cafbc06", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f1f256c-5765-5b52-b87f-9846fbfa3cd2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829167Z", "creation_date": "2026-03-23T11:45:30.829169Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829174Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "54905e43b198a32610a2b935f3dba88d81b41ebcc8e06f4639b92dfbdd0404bc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f21976a-c425-531c-b322-010b83072fed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479565Z", "creation_date": "2026-03-23T11:45:30.479567Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479573Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5a7bde3c194e84070ff15718e58b6d9a79d5b11fb4f5754ecbae9f6fee1ca40f", "comment": "Malicious Kernel Driver (aka e939448b28a4edc81f1f974cebf6e7d2.sys) [https://www.loldrivers.io/drivers/4f2edf45-b135-404f-bedc-9583f0bae574/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f286794-21a5-5ea3-b11e-d9d1c0929e73", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143562Z", "creation_date": "2026-03-23T11:45:31.143564Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143570Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c66fd25fb23a21fdf502b1f750bd8d862e937eead46554c3c1d62eff67f549df", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f32b263-13d1-559f-9e6e-341050406195", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144837Z", "creation_date": "2026-03-23T11:45:32.144840Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144845Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "146b8f4fc91a4915e8f6aa6e0d871f7161a809c46760ef602bab534836142436", "comment": "Malicious Kernel Driver (aka driver_146b8f4f.sys) [https://www.loldrivers.io/drivers/cea8bd08-a3c5-4ae1-a568-387b909ada67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f3a832f-bfef-50fd-a3e1-5e0aaee846f0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827199Z", "creation_date": "2026-03-23T11:45:30.827201Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827207Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "08e4f45807c9d9608d1d3283dad5d02c5714a47a7210e082f2607cd6d2f79bc9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f4638e2-eb01-54a9-ad97-93d112a4f579", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480370Z", "creation_date": "2026-03-23T11:45:30.480372Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480378Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0abca92512fc98fe6c2e7d0a33935686fc3acbd0a4c68b51f4a70ece828c0664", "comment": "Vulnerable Kernel Driver (aka GtcKmdfBs.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f46a8a1-84fd-5f2a-beb1-d251287e51ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467471Z", "creation_date": "2026-03-23T11:45:30.467486Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467495Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8e1d02a67ad311f9e48d42813e6d208bda3e7e4da0d212d7b484a8454b41678c", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f4b14dd-30ae-5b7c-83a8-65a29f65bc88", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981260Z", "creation_date": "2026-03-23T11:45:29.981262Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981268Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7108613244f16c2279c3c917aa49cef8acf0b92fdaa9ace19bf5cf634360d727", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f50fb48-6e83-5807-b7d8-c0abd0fc36d8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807696Z", "creation_date": "2026-03-23T11:45:31.807698Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807703Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b1a16363471806fd07cbac03ae3a929fa508d165f381c50ee79d540ce94a9a4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f5532d8-407d-5833-b978-0dc63772040e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830168Z", "creation_date": "2026-03-23T11:45:31.830170Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830176Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "29da9a13dabdb33a4693d67afb5a512d350c3a7de60fd93abf8880c55dde0e57", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f55ae57-a764-5f84-bb3f-377877f23a29", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479015Z", "creation_date": "2026-03-23T11:45:31.479019Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479029Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "40bd99633a6b161cb5b9d3ba5e821e63a92839ae181a71b201bfe9d595010d63", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f560968-6744-57d7-ae25-483535ba0209", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452769Z", "creation_date": "2026-03-23T11:45:30.452772Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452781Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bb0742036c82709e02f25f98a9ff37c36a8c228bcaa98e40629fac8cde95b421", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f5eaaa9-fd72-5286-bbcc-d2bde250b2d1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483961Z", "creation_date": "2026-03-23T11:45:31.483965Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483974Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2751662b682d8283f3b271d70cd5a8f76c7560060af7587efc787d0331940fed", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f6c8e0a-e3ca-5dec-8bed-9dc91ba326a9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148625Z", "creation_date": "2026-03-23T11:45:31.148627Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148632Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c3524fae1dcc6cf4c49e53ca87c38e116e2995acc0129ced0ca3d1691c9c135", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f753c5b-5f0a-53d3-9f77-0af8d0a23cf3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143206Z", "creation_date": "2026-03-23T11:45:32.143208Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143213Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5f6547e9823f94c5b94af1fb69a967c4902f72b6e0c783804835e6ce27f887b0", "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f7a83da-48ac-5f8b-9582-a04352e7039d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622724Z", "creation_date": "2026-03-23T11:45:29.622726Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622732Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bb68552936a6b0a68fb53ce864a6387d2698332aac10a7adfdd5a48b97027ce3", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f8885a1-b372-5e69-bc49-a53da16a0550", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819446Z", "creation_date": "2026-03-23T11:45:30.819449Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819454Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "87b4c5b7f653b47c9c3bed833f4d65648db22481e9fc54aa4a8c6549fa31712b", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f8d7cab-3902-5fa4-8db3-9fe474e22899", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809926Z", "creation_date": "2026-03-23T11:45:31.809930Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809938Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d911a3bddb038fc57677c138abdc490b707b86886765f2c6d31fce50481f52f8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f9f0197-c33f-5731-b4bd-9354f7936ca5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491735Z", "creation_date": "2026-03-23T11:45:31.491738Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491746Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "435f57a97f28eca6fe5863aad3f365ec8fa65742576b5dbf9c0b853ca0e690e1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4f9f8c53-58c1-563a-8725-918d6f5fdc07", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608892Z", "creation_date": "2026-03-23T11:45:29.608894Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608900Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "79e3b14b68f1fcf805ccfe7bc2dc81b98346d2e83a6335816b276970e2e2691a", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4fa594b3-616b-5842-bc94-2c920f8b330f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455788Z", "creation_date": "2026-03-23T11:45:30.455791Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455800Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c44b807e14e5da43a060cb36a83aa5b1e4b7b95620f9e41d289694f9daa8b77a", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4fab0a1b-2cec-532a-a7f2-e480694c08ae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813477Z", "creation_date": "2026-03-23T11:45:31.813480Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813489Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "948c00a80392791ab7f28bb6ffa79032f2f3835748c8f4cacf23103d4826ff0f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4fae4450-c2dc-5f9f-8fb3-fe88cd88d3ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972422Z", "creation_date": "2026-03-23T11:45:29.972424Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972429Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dcd4d4bee76aacba8792df291eb55cc716752bd7ddb51ecb9bec491b02f57c70", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4fb9a891-b117-5654-9a9f-779015ad1fc3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822152Z", "creation_date": "2026-03-23T11:45:30.822154Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822160Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0a1d5ba96cde7e8485077763e34738bf9c2734c81440ecab82ff63606a50dfb2", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4fc1c1e1-f7c3-5cbf-b05b-44db5062f96f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812729Z", "creation_date": "2026-03-23T11:45:31.812732Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812740Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6079447f59d41c7e67e24d4cf90e1f4b18090f3f8db689b430fee7a4ab661379", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4fc4f610-2427-5618-913c-2bfd034b7535", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975735Z", "creation_date": "2026-03-23T11:45:29.975737Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975742Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bd1d579a15ec3c1120cc6e0c8ff6b265623980de3570a5dd2f57d0c5981334d8", "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4fcab462-89f6-5e29-ba56-6763655e83c7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971228Z", "creation_date": "2026-03-23T11:45:29.971231Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971240Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c18ae965fba56d09a65770b4d8da54ccd7801f979d3ebd283397bc99646004b", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4fcd6410-b307-5247-84e2-f03f83bbdedc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616329Z", "creation_date": "2026-03-23T11:45:29.616331Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616337Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2f60536b25ba8c9014e4a57d7a9a681bd3189fa414eea88c256d029750e15cae", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4fd12092-f54b-5e8f-b004-2a1104dc74cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456048Z", "creation_date": "2026-03-23T11:45:30.456051Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456060Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "52b9302507bccd7eb775137a4c17b0df9a5a99671968c01924cd0c52a0c69262", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4fd13f91-490b-5df3-ace8-237b11078bfa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145541Z", "creation_date": "2026-03-23T11:45:31.145543Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145548Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9ce6d70fd61896b1ca589c0f8512300b0be2fa4c26a4e3c5805487daed25fce1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4fd1c727-6da4-5de8-9b32-be60c02ad31c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456942Z", "creation_date": "2026-03-23T11:45:30.456953Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456963Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c025ec72d4b8297ee2e0fac7747f39d256aad26fbf0554e3729e3e381bc6ea86", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4fd82f10-a16f-59b0-8d7c-59c1705f1ce1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811274Z", "creation_date": "2026-03-23T11:45:31.811276Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811282Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7e090fc6f8c03c42d752b1cb52fa51331d0a0a245329843e3c35fac314f237bb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4fe88f7b-4a1c-5eaf-81cc-53cd53dccba7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152925Z", "creation_date": "2026-03-23T11:45:31.152929Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152937Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c6566352b41ad20e1d0fdb1a4c608c24cb273d8a70f568fe88b72094f4fbd8a9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4fe9f322-b11d-5ad8-b96d-5ddf9027552c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480697Z", "creation_date": "2026-03-23T11:45:31.480701Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480711Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0d31558649752c27457acdbfe7ece8bf4764e3f69216dfeabe47acc301b905d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4ff8525c-b1b9-58e3-83ba-ee3e98972f9d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.142669Z", "creation_date": "2026-03-23T11:45:32.142672Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.142677Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b57caf226aaf1ee53a3e98e2f2ed40837bfa7a889b2914796f03ead147f219a6", "comment": "KingSoft Antivirus Security System Driver (aka ksapi64.sys and ksapi64_del.sys) [https://github.com/BlackSnufkin/BYOVD/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "4ffcf1c1-6abd-5df7-b738-8e21bb38670e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480986Z", "creation_date": "2026-03-23T11:45:30.480989Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480995Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bef87650c29faf421e7ad666bf47d7a78a45f291b438c8d1c4b6a66e5b54c6fc", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "50033f63-6cea-5367-a2be-86c52857e2bb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610031Z", "creation_date": "2026-03-23T11:45:29.610033Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610038Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee45fd2d7315fd039f3585a66e7855ba4af9d4721e1448e602623de14e932bbe", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5004279b-d577-5554-8229-cdfb98da535e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613329Z", "creation_date": "2026-03-23T11:45:29.613331Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613337Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "53bb076e81f6104f41bc284eedae36bd99b53e42719573fa5960932720ebc854", "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "50214fe8-8e1d-5349-8037-94e464ab1c65", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611745Z", "creation_date": "2026-03-23T11:45:29.611747Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611752Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4bf6f1b49ed332b31c695ee1e3e8db69d7514a3179f707034eec96de4865e1d2", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "502e41a2-19d0-5dd4-829f-0b065ee4c387", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968280Z", "creation_date": "2026-03-23T11:45:29.968283Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968292Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "795e5774aefd74200d552bf7ede17491c254fa7a73e2a00eb0e1462f18211ff5", "comment": "Vulnerable Kernel Driver (aka EneIo64.sys) [https://www.loldrivers.io/drivers/90ecbbf7-b02f-424d-8b7d-56cc9e3b5873/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5041a6e3-ff8b-5e20-9491-934fa55fa9f5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152340Z", "creation_date": "2026-03-23T11:45:31.152343Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152350Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1a3f3f0f302e12078ec7fe953716d9ff14d60a90317ed36dc859104009b0f32e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5048346d-67e2-518c-bda3-c224ffc28682", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813006Z", "creation_date": "2026-03-23T11:45:31.813009Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813018Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6d436f001638d3f7098656cdb48be86e6a9852807a5cb930b61721f6e4ca0bf5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "50490c99-1eb7-5277-b77b-f0c03826efae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467413Z", "creation_date": "2026-03-23T11:45:30.467417Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467425Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "36670821bb4a9d69bb6193e21b0da5c52975f001d3ed2dd7ee6307a2cff8317c", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "504c36ac-ffb0-54de-9b4c-2b8dc29191bd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969005Z", "creation_date": "2026-03-23T11:45:29.969007Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969013Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "94911fe6f2aba9683b10353094caf71ee4a882de63b4620797629d79f18feec5", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "505092ad-f074-51b4-83be-4840cb7be274", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822133Z", "creation_date": "2026-03-23T11:45:31.822136Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822144Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3bbe48da0781e5052a2f1b65ae44ab7f52486db274c29311c7870d7f57ed4cc8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5068bace-3498-5fac-994e-dd0bb87cfea2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145862Z", "creation_date": "2026-03-23T11:45:32.145864Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145901Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6365024365fb0899e8a81735369a2e01f55523888e84b091858b48ef14a79e23", "comment": "Malicious Kernel Driver (aka avkiller.sys) [https://www.loldrivers.io/drivers/7a9d34e4-c660-4388-ab61-4fd6f6bf1ad4/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "506bd46c-1dfd-52ba-b356-e15bef6116cc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819418Z", "creation_date": "2026-03-23T11:45:31.819422Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819430Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0b43f92cbbbf47b846e10a90c594110be31ba277c02c6ea9ded0c68228ac8b7a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "50755618-51a9-5475-95f7-6eb61f6fa57f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485866Z", "creation_date": "2026-03-23T11:45:31.485906Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485917Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a729cfcd1a8d9b88653abb093211d7ebf06e60b0f32ade40720c455947928c9d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "508360e1-b7cd-58a0-8d74-e72997b2db56", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820591Z", "creation_date": "2026-03-23T11:45:31.820594Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820602Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "803be22d59eb2e6183cae676b7014e452d4a6bf0bacdf931b14de0239c17dcb5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5084dafd-4296-5b47-af0a-466292e622ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461935Z", "creation_date": "2026-03-23T11:45:30.461938Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461954Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c13f5bc4edfbe8f1884320c5d76ca129d00de41a1e61d45195738f125dfe60a7", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "508aa9f8-60c0-5982-966e-d7484613c903", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976885Z", "creation_date": "2026-03-23T11:45:29.976887Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976892Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1b2a83d34818db56eb39a42cc9605734c9184026cca200e819b9412071206b42", "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "508fb888-f341-5126-9777-3a0a79247232", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144055Z", "creation_date": "2026-03-23T11:45:31.144057Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144063Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7555c82a5e6dd86cf4ba7bf3745700da025af20fee489864c76a98ae0792908f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "509a1e1d-2356-53af-a5ab-1c38a1ddff63", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492232Z", "creation_date": "2026-03-23T11:45:31.492234Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492240Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "084f82fde42e6388de4ba807360d989deaf1777d89a87d1cb552ced6467b4287", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "509b5701-3fd2-53ca-b7df-85d01a5f7051", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827932Z", "creation_date": "2026-03-23T11:45:31.827935Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827944Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "addf4de4bd00a4d1a928a3dc80cc508b4cac3c263567d4d1a336ce64c6c225dc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "509be2a1-0370-53e0-bea6-558647ac3a48", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819377Z", "creation_date": "2026-03-23T11:45:30.819379Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819384Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "91afa3de4b70ee26a4be68587d58b154c7b32b50b504ff0dc0babc4eb56578f4", "comment": "Vulnerable Kernel Driver (aka VdBSv64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "50a57743-81e7-5b86-8fa8-5915cc29a6ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143456Z", "creation_date": "2026-03-23T11:45:31.143459Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143464Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "37a68e0746a1fad05fdcaf42051f42c1cb06d0b71fa91ffc6bf633cb84128f02", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "50a68351-931b-5f92-9e58-79c0ac11a0e8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615589Z", "creation_date": "2026-03-23T11:45:29.615591Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615596Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bb4e3aa888a779238b210d6406aa480f01d27ea28d20699b1ec29a59dae19913", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "50a86e60-ac98-59df-9f41-b3fe65cbf697", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830350Z", "creation_date": "2026-03-23T11:45:30.830352Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830357Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e7c3bbb2810bb71e48c92223e48ba9a7180d31ca81b3a848f0414ae3e8eb2d36", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "50b22166-a1f3-5675-9f2e-01a8e92b4f32", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159421Z", "creation_date": "2026-03-23T11:45:31.159423Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159429Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bd16a8d8c15c3b5fc059c43b4cd46529a7f1803772f909794b4f4a1a0847f607", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "50b6d9dd-cabf-5675-925e-ebfd464bf9ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457129Z", "creation_date": "2026-03-23T11:45:30.457133Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457141Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5f4b06327ffbec2a59725a57c357daf54ea2f58aef5dc7ff3f5370168af09fb0", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "50b93558-3405-564e-aef1-4fcd42e868d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458429Z", "creation_date": "2026-03-23T11:45:30.458433Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458449Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "748b6350472e21bab16497e4296794619dede7fcdb188fea1574f89498a2ff54", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "50c049b8-1674-5649-8e59-c9587aca0ff7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822708Z", "creation_date": "2026-03-23T11:45:30.822711Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822717Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6b2f669c6fb1e839ba146b416021ddfb7bf4785558113e11ac2c8a0e3399f338", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "50c3b7ca-1615-5742-956b-298405b29fb2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487052Z", "creation_date": "2026-03-23T11:45:31.487055Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487064Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7cac5ec96dfcddba9045d401c22cf18f4c3bfda60ae5183b183b3621bdcda778", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "50c9b1f7-a48d-5313-8d87-542715d6f45d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479301Z", "creation_date": "2026-03-23T11:45:31.479305Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479315Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2acf75a9b834ff3999c218e5a803876e181e9e0ed6d77174ef9a9e889d82bb03", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "50c9b6fb-64ff-5927-bf8f-6a6995dcc3d1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971449Z", "creation_date": "2026-03-23T11:45:29.971452Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971459Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "de8f8006d8ee429b5f333503defa54b25447f4ed6aeade5e4219e23f3473ef1c", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "50d4ce18-40d0-52c2-b056-967b7612a942", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616761Z", "creation_date": "2026-03-23T11:45:29.616765Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616773Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bee62b69023212a5a964d323f60e5858d7cbd767a39f3d5ef87cacb080b1dbf2", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "50d61605-fffa-5ceb-9cda-dc176d79320b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984321Z", "creation_date": "2026-03-23T11:45:29.984323Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984328Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2d83ccb1ad9839c9f5b3f10b1f856177df1594c66cbbc7661677d4b462ebf44d", "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "50e07033-dc05-55b0-bfee-cf675b326890", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479923Z", "creation_date": "2026-03-23T11:45:30.479927Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479933Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae9b7b6d688de9b7b5be8b4b4d61207b23a143818d4609426f0d53b6f09be9a2", "comment": "Vulnerable AMD uProf Kernel Driver (aka AMDCpuProfiler.sys) [CVE-2023-20562] [https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "50ebee9a-879b-5d19-b71a-b523edbcf350", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610689Z", "creation_date": "2026-03-23T11:45:29.610691Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610697Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9a523854fe84f15efc1635d7f5d3e71812c45d6a4d2c99c29fdc4b4d9c84954c", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "50ef8b09-3be3-52d3-9a51-569670b1470c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464312Z", "creation_date": "2026-03-23T11:45:30.464316Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464325Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e8ec06b1fa780f577ff0e8c713e0fd9688a48e0329c8188320f9eb62dfc0667f", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "50f54ee8-6b3b-5e7e-aab4-e8e4cee35d92", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607091Z", "creation_date": "2026-03-23T11:45:29.607093Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607099Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "filename", "value": "PROCEXP.SYS", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "51007e20-bf30-596c-a5c6-6ac742352c26", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493034Z", "creation_date": "2026-03-23T11:45:31.493037Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493046Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "32030e49c352a25e3d373617dc58a267cb068e93196001340cb61d6537d9b7a3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "51079775-6177-595d-be5c-3974fa6bc666", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147983Z", "creation_date": "2026-03-23T11:45:31.147985Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147991Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1682b9bccf2ec3d397dc439a5bb6d986cd938bd63e8c9b7ed4c0512a7d71a6d9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5108c865-7cff-5506-ba82-809ac78a6eb6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808266Z", "creation_date": "2026-03-23T11:45:31.808269Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808278Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "253f80e82f61e3dcf07f1a9fa55ac826323648c169f1df21e3e0e6335b13178c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "511220d1-c511-5b77-800b-b240c13d5533", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452372Z", "creation_date": "2026-03-23T11:45:30.452375Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452385Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0ae8d1dd56a8a000ced74a627052933d2e9bff31d251de185b3c0c5fc94a44db", "comment": "Vulnerable Kernel Driver (aka Chaos-Rootkit.sys) [https://www.loldrivers.io/drivers/abcd2c10-1078-4cf9-b320-04ca38d22f98/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5118abca-b500-5eb4-b19b-ca1c98599ba7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481326Z", "creation_date": "2026-03-23T11:45:30.481328Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481334Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fc3e8554602c476e2edfa92ba4f6fb2e5ba0db433b9fbd7d8be1036e454d2584", "comment": "Vulnerable Kernel Driver (aka phymem_ext64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5137b3fd-a9e2-5b4a-861d-525c41143668", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.158993Z", "creation_date": "2026-03-23T11:45:31.158995Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159001Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "17ffa8ad0e834375aef70c23e474676b09fc8d3a6dc1a14673dc7865f8e3503d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "513fa4b3-d800-557c-aa84-f5a578980a74", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982485Z", "creation_date": "2026-03-23T11:45:29.982487Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982493Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0fd2df82341bf5ebb8a53682e60d08978100c01acb0bed7b6ce2876ada80f670", "comment": "Vulnerable Kernel Driver (aka Lurker.sys) [https://www.loldrivers.io/drivers/3fb743b8-d3ed-4873-9c95-e212720dde21/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "51457347-9d1a-5489-a768-d4a4b6ab8154", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146313Z", "creation_date": "2026-03-23T11:45:31.146315Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146321Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "772a27f809add1bf474c38286c70ff3dd508c6c1d6feb9fe7e265004ff0cdb19", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "514755c6-3832-5226-bd2a-cedd12472bee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147656Z", "creation_date": "2026-03-23T11:45:31.147658Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147663Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a8f74806851f6221c107dc27a0adb75c7d19fd83374afdf2fb6858ba657841b1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5149574e-0e49-5858-9d50-8823b9b3dc22", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140151Z", "creation_date": "2026-03-23T11:45:31.140154Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140159Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "78a270ee9b994c11ed6295e9f3a24add38c711b1b3af96fed111e04bc2a6bbca", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "515217d0-bb8d-56ac-a08f-2a2b2edce24f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816014Z", "creation_date": "2026-03-23T11:45:30.816017Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816026Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7de1ce434f957df7bbdf6578dd0bf06ed1269f3cc182802d5c499f5570a85b3a", "comment": "Vulnerable Kernel Driver (aka ecsiodriverx64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "51669b63-d90b-5f2d-868b-87e18dfe8c9d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619246Z", "creation_date": "2026-03-23T11:45:29.619248Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619254Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "32e1a8513eee746d17eb5402fb9d8ff9507fb6e1238e7ff06f7a5c50ff3df993", "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "516cc22c-7723-5419-a611-c6fe402234c9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489376Z", "creation_date": "2026-03-23T11:45:31.489380Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489388Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2821f21417c3d38468cb924d6caaf3a4f40a9d25d2477c299c7aa84c2ab5fea1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "51713de4-e1f2-58d7-85bf-662d7d72bfcc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985393Z", "creation_date": "2026-03-23T11:45:29.985395Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985401Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9199979b9f3ea2108299d028373a6effcc41c81a46eecb430cc6653211d2913d", "comment": "Dangerous Physmem Kernel Driver (aka Se64a.Sys) [https://www.loldrivers.io/drivers/d819bee2-3bff-481f-a301-acc3d1f5fe58/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5174fd59-99cf-5d49-96fc-3548959033b5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454968Z", "creation_date": "2026-03-23T11:45:30.454971Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454980Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "23115b5b1d5511d59cdad75f863d65893304dc098848dcb149b69492f51b31f6", "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "51779d72-5f52-576d-9aac-2a5f5129845d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.471532Z", "creation_date": "2026-03-23T11:45:31.471536Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.471545Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "84f03b74b9fe26ceed42a64153d127aeae41ff94b5fc86e0484a17e1b2a2a8b1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "51800cdd-5718-5b84-b5b1-393f6fafc75f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817356Z", "creation_date": "2026-03-23T11:45:31.817358Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817363Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0e89f000488af2af5872b63c17b0f5fd54b30abf9f93af4c9add231ccaecfab", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "518d211c-4eac-5f66-a818-d9c7484d4dc2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494328Z", "creation_date": "2026-03-23T11:45:31.494331Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494339Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8dd18f32fbffb03a0eeb33782a5b239673597f85b195273894d33013643e3242", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "518e89ba-b3ce-5c8b-8c53-68f1bfd9e121", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607400Z", "creation_date": "2026-03-23T11:45:29.607402Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607407Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f9bc6b2d5822c5b3a7b1023adceb25b47b41e664347860be4603ee81b644590e", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5193f4ad-67cb-5800-a8ef-45bea3467d63", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615815Z", "creation_date": "2026-03-23T11:45:29.615817Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615822Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "21a6689456d9833453d5247e4c5faf13edcd4835408e033c40ae1a225711ae8f", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "51a0901e-5abd-5304-96e9-1a6b1fbaeec4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974730Z", "creation_date": "2026-03-23T11:45:29.974732Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974738Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ffbb534c73106a2879d5a9d4ad3436c8d3ab8ac6aa8b217e26a6492fa1d16d0", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "51a615f9-acb9-5db7-b511-36a78b3cf2e0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141803Z", "creation_date": "2026-03-23T11:45:31.141805Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141810Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c6b6b0e4850caa2f5f75de0667d758e420b33bda452c21d9cdf6ff29300f84f3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "51aef40b-a6af-5853-8386-18c0ea344fca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820634Z", "creation_date": "2026-03-23T11:45:30.820636Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820641Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dee384604d2d0018473941acbefe553711ded7344a4932daeffb876fe2fa0233", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "51b245a9-91b3-56b9-9410-f60cd227cf4b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615362Z", "creation_date": "2026-03-23T11:45:29.615364Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615369Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cf3ec8972720f84d73e907bb293de40468a0d605ce0da658a786f7b4842b3c62", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "51b8638c-1275-5875-9018-7c2e4125e056", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829786Z", "creation_date": "2026-03-23T11:45:31.829789Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829797Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ffc46be50708610ec4f477ca2813d6888eb60dc9b3677ea173496b68948b33c1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "51bbddf6-fc33-51c0-8ecc-ed449ac50690", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492019Z", "creation_date": "2026-03-23T11:45:31.492021Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492027Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "65206a8a5700b4b0f9d8e2fd8e2f761b7af5af9d2d6cbd754da8cc258acd2a76", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "51c70e1d-21db-5b56-98ad-6260a58202ac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471801Z", "creation_date": "2026-03-23T11:45:30.471804Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471814Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b4c07f7e7c87518e8950eb0651ae34832b1ecee56c89cdfbd1b4efa8cf97779f", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "51cf5dba-c570-5537-88b5-274f7c16af18", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836735Z", "creation_date": "2026-03-23T11:45:30.836737Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836743Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "de183d93f715ca042b42104b1d9b4151af3a75c97d05c5b2dbc76f152be7c7cc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "51dea23f-b7d5-59dc-a3b3-89486eb082f4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493311Z", "creation_date": "2026-03-23T11:45:31.493313Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493319Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "13f8fb9643a8d4a721ed8f1ae882d4ef8be6413d7b35feb142e42cf787a086be", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "51e9f54c-f453-565a-b5f0-125296cfc08c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828130Z", "creation_date": "2026-03-23T11:45:31.828132Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828138Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "05ab8bf3a58a99bb1a0b32df46728bc90bc27ca5c7c544db87a285451b3a6814", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "51eb126e-d7dd-5d46-9cd5-a3b0e3cc8766", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609521Z", "creation_date": "2026-03-23T11:45:29.609523Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609529Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3ede3c99d8a049232cd6baae9d44518a73c19d93230a1d320407a3fc2f506569", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "51f2041c-7a8a-5737-b7c7-81ff80a29566", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476692Z", "creation_date": "2026-03-23T11:45:31.476696Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476706Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f6f817b25ae79245b86072bc94445f9770905847274fe42da5982425721024f1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "52063f46-ec10-59b2-a17e-689557f8a155", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154367Z", "creation_date": "2026-03-23T11:45:31.154369Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154376Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "76014259f86bc9d475cee4224a575ef12f3ac36b450243bd95a96bdaa44a6c38", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "52081c76-6763-547d-abfb-1c397dc5e058", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620220Z", "creation_date": "2026-03-23T11:45:29.620222Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620227Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "50db5480d0392a7dd6ab5df98389dc24d1ed1e9c98c9c35964b19dabcd6dc67f", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "520bda32-7ae7-53de-91fe-7e2de6e096c3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974891Z", "creation_date": "2026-03-23T11:45:29.974893Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974899Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d33fe3bbcdf1ef7e42faf4ac81d7da3a6451eb67b477e78b75506b0df21cf598", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5212743f-a2e0-5408-8f64-fa5abf38315b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971524Z", "creation_date": "2026-03-23T11:45:29.971526Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971531Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab1290211250af83be645072d346693890f3f29feda5a3a23ea97758247f7ba1", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5225b412-128d-508d-8c8f-18dc7e803097", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983526Z", "creation_date": "2026-03-23T11:45:29.983528Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983533Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8bce4a327c9e77631c03057b0e45cdbb2e751194d42995c0310e3ccdd3d33b7c", "comment": "Vulnerable Kernel Driver (aka KfeCo10X64.sys) [https://www.loldrivers.io/drivers/3e0bf6dc-791b-4170-8c40-427e7299d93d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5227df82-4230-500e-bbdc-967a6ff44eb2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492503Z", "creation_date": "2026-03-23T11:45:31.492505Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492511Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e68cc70961503821360b0736a94f0467a459663aedbf6796dad4181aa249a8d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "523170c7-5efc-5744-9349-7b2a9becf6b3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830221Z", "creation_date": "2026-03-23T11:45:31.830223Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830228Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "316e85e43f0045ae7750509fa89e4d48fdb7e47cd531da2256b8a2e6c54e6316", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5237593d-cad5-5f50-abc9-de0dba341973", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465198Z", "creation_date": "2026-03-23T11:45:30.465202Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465211Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "85b9d7344bf847349b5d58ebe4d44fd63679a36164505271593ef1076aa163b2", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "523b942d-1e72-5ff3-b3d1-53f595f974b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459327Z", "creation_date": "2026-03-23T11:45:30.459331Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459340Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "26d67d479dafe6b33c980bd1eed0b6d749f43d05d001c5dcaaf5fcddb9b899fe", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "523ed949-7bc9-5147-a3a6-fcd5cae174df", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493516Z", "creation_date": "2026-03-23T11:45:31.493519Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493527Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "42274df7bd76ccb91baec7223fbb6c984abccf3c705a134a498305458f52e5a8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "523f993f-588a-5540-883f-13cfd924647f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497533Z", "creation_date": "2026-03-23T11:45:31.497537Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497546Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "de1bdf123f8b92d6250b02c89267823147ce36f1c0fd4fdca1bb18c2eb17952b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "524844ea-7cc0-58f2-bb74-72cc944c3776", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486473Z", "creation_date": "2026-03-23T11:45:31.486476Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486484Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b9d924ecdc0f37c9ebc71429052105e6493024c59b6990a9c6d5bd5846425be5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "524d68d9-8dea-56b9-a6d0-6be41c9bc78b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145679Z", "creation_date": "2026-03-23T11:45:32.145681Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145687Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "16aca71339240826d226f4adbfa73ea7b065f0f2d145d82d6ac2349d2ebba0d2", "comment": "Malicious Kernel Driver (aka driver_930da474.sys) [https://www.loldrivers.io/drivers/4c4e7664-af86-4483-858a-f59346f3d304/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "52528de0-a22c-5e68-8ec3-314907fc1416", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824586Z", "creation_date": "2026-03-23T11:45:30.824589Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824597Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee43ea46cb984759b46f88360079e5f4e7f80f6c5b177abff3c57ca3ba96069b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "525cf231-0c78-51dd-8dbc-4f44c0842b15", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463699Z", "creation_date": "2026-03-23T11:45:30.463703Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463712Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "406b844f4b5c82caf26056c67f9815ad8ecf1e6e5b07d446b456e5ff4a1476f9", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "52622982-f318-500e-968f-42b35bca81bd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826491Z", "creation_date": "2026-03-23T11:45:31.826493Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826498Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "46c0c7f394a9a400ae7d7cc9de29c7de3d808adbc1d6c5e9f85ff0636871fabc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "527a8fd4-fa9c-5fd9-a1b5-4bbe8629a26a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818190Z", "creation_date": "2026-03-23T11:45:30.818192Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818198Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1336469ec0711736e742b730d356af23f8139da6038979cfe4de282de1365d3b", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "527be761-bcfe-5978-a2c0-f3326d2ad6ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611566Z", "creation_date": "2026-03-23T11:45:29.611568Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611574Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2fb8f2a0a32f2e73921a16a7836ff14122da45582aae742e6afd4d7ca15b3da3", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "527c2e61-93fb-583d-894b-638566768bef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978756Z", "creation_date": "2026-03-23T11:45:29.978758Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978763Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0052aa88e42055a2eed5ddd17c3499c692360155e5e031a211edfcef577acce3", "comment": "Malicious Kernel Driver (aka gmer64.sys) [https://www.loldrivers.io/drivers/7ce8fb06-46eb-4f4f-90d5-5518a6561f15/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5295bf7a-16eb-5adc-8b5e-cc9facc3f581", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481006Z", "creation_date": "2026-03-23T11:45:30.481008Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481013Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cbd4f66ae09797fcd1dc943261a526710acc8dd4b24e6f67ed4a1fce8b0ae31c", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5299bd65-8905-53bc-a00e-535c1a5a3674", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818825Z", "creation_date": "2026-03-23T11:45:30.818827Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818832Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e190b58266d9f7ce9681b834b0c7e6ab06e1305ab9258d714212a0bad58c0b4", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "529d4d24-ca23-5dc6-855d-b30ea991400a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822318Z", "creation_date": "2026-03-23T11:45:30.822320Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822325Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c2898d715a1806b6cb574bff1dcd4bb2fd026ac624a2fbe71b7f17a64d0a9451", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "529e41e1-a567-5074-ba3a-e1832b7f427f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477387Z", "creation_date": "2026-03-23T11:45:31.477392Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477402Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "44846eb04ec95ad86927cfc02e9c9a6d844aad4d1ec35f78af96ce947a34abcb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "52aac6e5-5194-5326-87ea-5f7d0d06bebe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469204Z", "creation_date": "2026-03-23T11:45:30.469207Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469216Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e6745f1ac0dc8014e359672c7d5d1c01588ab4a68ea96eea2dea811dcdcf5131", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "52ad1c48-ef9c-5e31-b35b-8fab3426ba4b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835236Z", "creation_date": "2026-03-23T11:45:30.835239Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835249Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "904bf42fb075bcf938002fb94cc789996f0382457c28b3840aac9c4f51d49c27", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "52b1f8d2-3e16-57ef-b881-1714ef44d937", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143633Z", "creation_date": "2026-03-23T11:45:31.143635Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143640Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "befe8b4c4c12f393e783fdccd07f6172ef58f80034999243b5bee5067daa75df", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "52b6c001-178b-53c7-b472-61e1c6d3f279", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475218Z", "creation_date": "2026-03-23T11:45:31.475222Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475232Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a09c5f5139ce37bf2341f475372528b0d904435e5c8bf00c9bb96a6bdc4c431c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "52bc6453-8972-5988-9327-a678846161dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487737Z", "creation_date": "2026-03-23T11:45:31.487739Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487745Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9ef0ef0e4a25261c5f26f42c079357746baf4bc4fe23844f2c2a0b3ca0a4ed61", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "52bd9ef3-dabf-5d05-ad32-a8849dfea35b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142790Z", "creation_date": "2026-03-23T11:45:31.142792Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142798Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18e45ac31f7750ad3bab2dfc6776648f1ecb8c95bdbe2c59fa3b2438d3879e43", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "52ce985a-38f6-581a-b388-8ef6f2f61541", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811062Z", "creation_date": "2026-03-23T11:45:31.811064Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811069Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cc7f129e228fcb6f6b88fd3f7125bf406d8e243273d451861507a553b1cef028", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "52cec98f-d8b9-56db-aea6-d17f48db3f4d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828636Z", "creation_date": "2026-03-23T11:45:31.828639Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828644Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7842397055abfd4e47b669d3c0aa004fbb8c4e8b9ed6c30c9a8cae2bb24c7a1e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "52d55f1d-ed66-5d5b-b749-bb726322610a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465084Z", "creation_date": "2026-03-23T11:45:30.465088Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465096Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "673bbc7fa4154f7d99af333014e888599c27ead02710f7bc7199184b30b38653", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5304a61d-3ad5-5742-8ba6-7c908ba54b05", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159633Z", "creation_date": "2026-03-23T11:45:31.159635Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159641Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6f91b41629b47e7b5e9102ae70712c7fa9b903399e2de4b50ba86bcbf8e32f5b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5306fcf3-00cf-5003-8bf3-028c2401d1ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143315Z", "creation_date": "2026-03-23T11:45:32.143317Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143324Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b261d4065c03dcc732a951a9451b3a9f6054899eb3b8a4062dfed1c0ca3f3755", "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5315e712-040e-529f-9e26-248e49dd8384", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975639Z", "creation_date": "2026-03-23T11:45:29.975641Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975646Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3a65d14fd3b1b5981084cdbd293dc6f4558911ea18dd80177d1e5b54d85bcaa0", "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "53290af5-8482-59f6-a560-0ec05a691241", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621581Z", "creation_date": "2026-03-23T11:45:29.621583Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621589Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "841335eeb6af68dce5b8b24151776281a751b95056a894991b23afae80e9f33b", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "533e53b0-6165-56a3-bcf3-a1688a95c014", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159674Z", "creation_date": "2026-03-23T11:45:31.159676Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159681Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c3720a4d0f874f5e33a916d51c9816bf97b0747d3fabee202b6dd65850da2fc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "533f4a17-e0ca-53d7-bb1b-8ab99f92e8bb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822282Z", "creation_date": "2026-03-23T11:45:30.822284Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822289Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a787df19468ba5fce5de825983251507867c6d3ff72d93e19466f2201013bab9", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "53407e2b-cef6-5c3e-98ff-322c638c16f9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462285Z", "creation_date": "2026-03-23T11:45:30.462288Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462297Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "caa87fc917ab2ccf9bf2ad715173d74e031626c6bd3c80dca01f27933fec7242", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "534f24ba-8291-52a8-9818-ebcdf85e6f0c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816918Z", "creation_date": "2026-03-23T11:45:30.816920Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816926Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b177164100a31fd01e7f0a24cb0a32015736d3c7c65744c21914a2d4459ef83d", "comment": "Vulnerable Kernel Driver (aka CP2X72C.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "53523b27-2616-5189-9754-e344bc35fbc4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.603813Z", "creation_date": "2026-03-23T11:45:29.603830Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.603843Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b9ed73af3aef69dc1fb91731d6d0a649e93f83d0f07ddb9729d71c2d00ed0801", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "53576683-d7cc-560a-914d-19d46271986b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969326Z", "creation_date": "2026-03-23T11:45:29.969328Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969335Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dcb815eb8e9016608d0d917101b6af8c84b96fb709dc0344bceed02cbc4ed258", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "535b3f6b-a52f-5870-b2b6-cea9a1acc571", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620531Z", "creation_date": "2026-03-23T11:45:29.620532Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620538Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "405472a8f9400a54bb29d03b436ccd58cfd6442fe686f6d2ed4f63f002854659", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "536a5f69-5ed6-5702-9448-65b3ce0cee3d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150053Z", "creation_date": "2026-03-23T11:45:31.150055Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150061Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8dfde0032a696096b94df74e932b6f013cd93f34ec0d41caf30d1b06193b907c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "53717789-cd42-53fc-bcd2-47a213d5084f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147806Z", "creation_date": "2026-03-23T11:45:31.147808Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147813Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2b147582875918a84fbf5e07343a6b06bd533d79924c159549d07b63a8b0b8ab", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "537b981d-754d-5cbc-b4f5-45c203388138", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819731Z", "creation_date": "2026-03-23T11:45:31.819734Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819742Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d56a9c9ce41cc5233163b3d82c646eef8eb726c441a3c0c5a46d6f5ca6c35dcf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "537be632-afd9-5b5b-b3ed-c4a6ebb8b6d9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976267Z", "creation_date": "2026-03-23T11:45:29.976270Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976279Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6b5cf41512255237064e9274ca8f8a3fef820c45aa6067c9c6a0e6f5751a0421", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5381555b-044c-59dc-b7a5-1b9d6f6e78d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976835Z", "creation_date": "2026-03-23T11:45:29.976838Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976843Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6b17dce96ba5ae4fbbac4446758dd23ad117864bdb5c4434cb6c157947ec29c1", "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "53853beb-3e99-5904-8361-2b939bc5f7d2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156161Z", "creation_date": "2026-03-23T11:45:31.156163Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156168Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "df7b1b37fb9096d864de7e8a1c136b60c92994de9e3b1f3cb51a0427eb730984", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "53963025-fdd0-5008-bc46-d37e4cea4802", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476647Z", "creation_date": "2026-03-23T11:45:30.476650Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476659Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3ad340c8a4a6e071e15095fd286b600847cd600b7312bd573802f26a73600da7", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "539d7e02-dee4-59dd-ad44-491bd1da746b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817426Z", "creation_date": "2026-03-23T11:45:31.817428Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817433Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "08ad4c86222f9964418384d93320da01e5779bfd01b0ced82a33696340bca080", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "53a0030f-6c03-535f-8076-2f9781d655bd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461612Z", "creation_date": "2026-03-23T11:45:30.461615Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461624Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47bcbe0e7087cde7a9fb01fcec12b5ab185112c8f7f5638543715efa774b0cec", "comment": "Malicious Kernel Driver (aka 5a4fe297c7d42539303137b6d75b150d.sys) [https://www.loldrivers.io/drivers/75b9b0c5-dd3e-4cf3-a693-c80f2feabb6a/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "53a5fd02-f143-5408-aa1b-d2a45341aef6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612215Z", "creation_date": "2026-03-23T11:45:29.612217Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612222Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5a021532f0ac453256526428ccf3518cdba4c6373cc72f340ba208b6c41b3a9e", "comment": "Vulnerable Kernel Driver (aka mhyprot3.sys) [https://www.loldrivers.io/drivers/2aa003cd-5f36-46a6-ae3d-f5afc2c8baa3/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "53b42dda-f89e-5e56-9331-484c2a69e399", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487540Z", "creation_date": "2026-03-23T11:45:31.487542Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487548Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "378cd87cd469810c4933eb81c389bb49ed0df8b0064dfdd4fc69da83a7f95f71", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "53b75eec-1a13-5d2a-8eb3-375427f39d72", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820380Z", "creation_date": "2026-03-23T11:45:31.820383Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820392Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "df5ac5e5d60ea0742544507f31c9e5d8fe56191005722d27253b16bf443ff911", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "53b81b2e-4e4e-5562-bc85-929b54af481d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482218Z", "creation_date": "2026-03-23T11:45:31.482222Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482263Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "327d978392ef5f9e18c90a38083fde7a58798cb4b83d47c6f991971e8dc50de0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "53c1e441-99b0-53c0-9f3a-34a7713a8cde", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820807Z", "creation_date": "2026-03-23T11:45:30.820809Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820814Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8047859a7a886bcf4e666494bd03a6be9ce18e20dc72df0e5b418d180efef250", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "53c3e2af-d0ef-52d4-8d49-aae6b9b980c7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604014Z", "creation_date": "2026-03-23T11:45:29.604016Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604022Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d7cc798804f07ba04cb1ed9233c5852d147b56df612117c54667cf3ebba975de", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "53cc438d-274f-51f4-bf9d-ec3cbd5dbadf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.478715Z", "creation_date": "2026-03-23T11:45:31.478719Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.478727Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ca062e16443d7a58c3bb3c636fb5ba996bfd587b7fe579f0164d9e705b2f94e9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "53d74c83-28a7-56d9-a392-82769a8651a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604626Z", "creation_date": "2026-03-23T11:45:29.604628Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604634Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "afb9e6b70f707149e7243e41ffafbdda463da9a890c56091c454df60608efa0f", "comment": "Malicious Kernel Driver (aka daxin_blank3.sys) [https://www.loldrivers.io/drivers/9748d5c8-62dd-474b-a336-0aadb49e5ff9/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "53d790fb-a44c-50cd-a72e-57526a7e14b1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808506Z", "creation_date": "2026-03-23T11:45:31.808510Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808518Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "97744605f30900e2683e4d350ff13ac9a99d277217a53801afd7075d4f12acbd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "53d7e0f5-f489-5f27-9ebe-8f47a88d8bbd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616115Z", "creation_date": "2026-03-23T11:45:29.616117Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616123Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8bda0108de82ebeae82f43108046c5feb6f042e312fa0115475a9e32274fae59", "comment": "Phoenix Tech. vulnerable BIOS update tool (aka PhlashNT.sys and WinFlash64.sys) [https://www.loldrivers.io/drivers/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "53fbf268-35fd-5cfc-ad29-7c610baa5971", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808902Z", "creation_date": "2026-03-23T11:45:31.808904Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808910Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47945068899bc61f8607d27995c73b3cb7228cded69f9ec96485e0c0f44ea2bc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5411539a-0196-5268-841f-ab7ddbef4d51", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818330Z", "creation_date": "2026-03-23T11:45:30.818332Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818337Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f64a78b1294e6837f12f171a663d8831f232b1012fd8bae3c2c6368fbf71219b", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5411c76f-f733-5710-9e82-9a05fc418419", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825940Z", "creation_date": "2026-03-23T11:45:30.825944Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825959Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3a1e98520eab5654dbfec4d96d9a2c90c874882f41aae2a38d746e83a11bb96d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "541945b5-60e1-55f6-abeb-ceff7f5c8384", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982982Z", "creation_date": "2026-03-23T11:45:29.982984Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982993Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c36ace67f4e25f391e8709776348397e4fd3930e641b32c1b0da398e59199ca7", "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5443dc9f-4fde-5fde-9e0c-4d604b2d0d3a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154186Z", "creation_date": "2026-03-23T11:45:31.154188Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154194Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e31580793b8b73db0cc688a858522d9827aab9c726c3d06c948d4e4fb53e26a6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "544af126-1a38-5af3-91f7-715e19602716", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149507Z", "creation_date": "2026-03-23T11:45:31.149510Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149519Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee8a5173f1b5da1bbfe049d646c2c2621ea36163fe4e66f37641562e842ea9dd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "545460b2-4376-5b34-a71f-fa28fb7d311c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976939Z", "creation_date": "2026-03-23T11:45:29.976941Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976954Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "091f6527aa79951fb0b4df269c0ea2247a13053e0d55784e29694381fe4f6fed", "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "54571b5c-42d1-5b5f-9bdc-b8ead4672067", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489144Z", "creation_date": "2026-03-23T11:45:31.489146Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489151Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "77903888069df50a2d881c1cc50c6aea35e47bcee9acf603347eb0ea6c71ad47", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "545b3b9e-b903-59b6-8b96-8d20531dc7a6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823063Z", "creation_date": "2026-03-23T11:45:31.823066Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823074Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b9a9b525d155296647f4288dcb64c3f5df82dd31f499cdf73abcef531121d0c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "545d0801-0984-5187-bf92-bb28ada9ce66", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984619Z", "creation_date": "2026-03-23T11:45:29.984621Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984627Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f9fead3227d5cf7daf8c5312db672bc7a684e2216b2f48ff2fcd14493bc9c254", "comment": "Vulnerable Kernel Driver (aka sfdrvx32.sys) [https://www.loldrivers.io/drivers/2ada18ae-2c52-49b6-b1a0-cf3b267f6dc7/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "545f625a-f25c-5251-a839-ce21fca8fd80", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452402Z", "creation_date": "2026-03-23T11:45:30.452406Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452415Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bdc73f752c1353d41e877d8bf42a1c53f0bba7d6f52348aaef60e06f4d3087d0", "comment": "Vulnerable Kernel Driver (aka Chaos-Rootkit.sys) [https://www.loldrivers.io/drivers/abcd2c10-1078-4cf9-b320-04ca38d22f98/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "545fa788-bd8a-50fd-90bd-30dae7d0b7ac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481549Z", "creation_date": "2026-03-23T11:45:30.481551Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481557Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ce8583768720be90fae66eed3b6b4a8c7c64e033be53d4cd98246d6e06086d0", "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "547ffa79-1314-5e96-93e7-5dd23ebe5192", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610441Z", "creation_date": "2026-03-23T11:45:29.610443Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610448Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "523d1d43e896077f32cd9acaa8e85b513bfb7b013a625e56f0d4e9675d9822ba", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "548e6fbf-d5f1-5867-a0d4-ed3fea70be40", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809519Z", "creation_date": "2026-03-23T11:45:31.809522Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809530Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cea02a0e948cf58a39d404c6371aa7f3badeacc542d5173304cd75eea689f90e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "54910e8b-283e-5fa8-b71d-dd3cc5473565", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150339Z", "creation_date": "2026-03-23T11:45:31.150341Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150346Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7d97f87f747274a8ce33b70b6fc20361906672880ef474a85039538cef63f45f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5491403c-b558-5497-b1da-240cca8afa8c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833938Z", "creation_date": "2026-03-23T11:45:30.833941Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833958Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "912623216966eab3524716f2b68903f69487a577461a946b5e15a42804303561", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5492162c-3aa8-581a-a88c-a49c71ed5f00", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807742Z", "creation_date": "2026-03-23T11:45:31.807745Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807753Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bd2b9349201d03dfeeb1a47c3474e3d18cce36b6b8d8c3373d8e83a2aabfd1b0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "54998e06-fa00-5425-b217-1774336bb8e5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467061Z", "creation_date": "2026-03-23T11:45:30.467064Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467073Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ebc3a28af05f5b0b456f6ea59ad613109bbb1e2a888d7e3808e331335a77f087", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5499e5ac-acfb-516e-a2a5-04ed97f553c2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612850Z", "creation_date": "2026-03-23T11:45:29.612852Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612857Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6a4875ae86131a594019dec4abd46ac6ba47e57a88287b814d07d929858fe3e5", "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "549b2905-b170-5281-8571-96df7e84c434", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463867Z", "creation_date": "2026-03-23T11:45:30.463889Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463898Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "087270d57f1626f29ba9c25750ca19838a869b73a1f71af50bdf37d6ff776212", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "549e68e8-be40-52a3-abdd-340b05512cfa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481713Z", "creation_date": "2026-03-23T11:45:30.481715Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481720Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c9aeead632435bda4f5723fff5c48dc60451072bfc8649f2ad6e066ca910934a", "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "54af8a41-e081-5f4e-89fa-d438f89ff61d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142090Z", "creation_date": "2026-03-23T11:45:31.142092Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142098Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "185d458f1f9f4777c5fe7c1cc5bbc1a2630fe7251b8b6388525494552fa5e1fa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "54b01b32-545c-5583-8b27-33360856a8ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980515Z", "creation_date": "2026-03-23T11:45:29.980517Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980523Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9d61963c098b07fa7ee6dba40f476fc5d2f16301d79a3e8554319d66c69404a9", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "54b492d3-3e5d-50e9-8fbf-29ea3313846e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807850Z", "creation_date": "2026-03-23T11:45:31.807854Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807863Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "228412527401e09d723d5346b33d856986817a4a10fcf30f84d62824b9689252", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "54baf95f-00c3-59cf-b1ef-909dc34d6a57", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816999Z", "creation_date": "2026-03-23T11:45:30.817002Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817007Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c95ebf3f1a87f67d2861dbd1c85dc26c118610af0c9fbf4180428e653ac3e50", "comment": "Vulnerable Kernel Driver (aka SMARTEIO64.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "54c7a0f9-b9a3-5728-b609-ae7e8036736c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968385Z", "creation_date": "2026-03-23T11:45:29.968387Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968393Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "91b0fdd5bfc596b2f7c9db33e822d24f378c706daf6f92682c5fe1043e547f8d", "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "54d588e1-f047-595b-b63e-ec2d61cd755c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160812Z", "creation_date": "2026-03-23T11:45:31.160815Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160820Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1b430c1396d7d6bde1ea75da781c46b7e20ebcb8f8c3056746901cb9682a64ce", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "54d8bf0b-bf17-512f-b48f-b32b2f431ab0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457421Z", "creation_date": "2026-03-23T11:45:30.457424Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457433Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a6f7897cd08fe9de5e902bb204ff87215584a008f458357d019a50d6139ca4af", "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "54df11fe-b1c6-56a2-b50f-ad2baf2adf02", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472065Z", "creation_date": "2026-03-23T11:45:30.472069Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472078Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "405a99028c99f36ab0f84a1fd810a167b8f0597725e37513d7430617106501f1", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "54e1c019-7b80-5cd5-92d1-52172545936d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978101Z", "creation_date": "2026-03-23T11:45:29.978103Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978108Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f51bdb0ad924178131c21e39a8ccd191e46b5512b0f2e1cc8486f63e84e5d960", "comment": "Vulnerable Kernel Driver (aka BlackBoneDrv10.sys) [https://www.loldrivers.io/drivers/722772ee-a461-48ec-933d-f3df1578963e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "54ef37df-7f39-581d-8407-9fa4a5b6fc1d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612163Z", "creation_date": "2026-03-23T11:45:29.612165Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612171Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8ced17d1ee92ae72749afdfe40f5029223d97f0f977e718bd5ab1242d1ff7cb5", "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "54f47568-6095-56ae-8307-0806875b29b0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151388Z", "creation_date": "2026-03-23T11:45:31.151391Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151399Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "073c3c6dcdb4534b061a6378d72dfd92ca78584c93cec37df09c1eaac1d57506", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "54f6785f-7f93-568d-9df9-e04453eed8e7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808396Z", "creation_date": "2026-03-23T11:45:31.808398Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808403Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fb5f1a8c2dfbd57065f4695958fe22532288ce092a32a867acadd1db3730c49a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "54f76205-0ef5-5c5f-b3ff-e961395117a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614283Z", "creation_date": "2026-03-23T11:45:29.614285Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614290Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5f39b84cb5132d4facff213c630b05ec97ef9d83b93579530152310d63945762", "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5505f3cc-5c92-5aaa-b79e-a7f2753f3c3c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483012Z", "creation_date": "2026-03-23T11:45:31.483016Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483025Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "032fbb9095a8449395e46ffba821eeebaed55a320785319125abccd9611904c8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "55377e42-c20c-5085-8ed0-dfdf378e18ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618356Z", "creation_date": "2026-03-23T11:45:29.618358Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618363Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f1fbec90c60ee4daba1b35932db9f3556633b2777b1039163841a91cf997938e", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5539433b-070f-5d36-8dc4-cdbf454284ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828293Z", "creation_date": "2026-03-23T11:45:30.828295Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828301Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e8cd9ba40871830debe83d134d38cb5a287d59eede0a01eca839f55cf10c558e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "555a0a48-b893-5930-b21a-d41fb24f2639", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477484Z", "creation_date": "2026-03-23T11:45:31.477488Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477498Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0ffd4812b2a3634efb630521b4c94c643d100e929d5c5e163314a18fb9561bd7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5564e6bc-0a83-5089-ba3e-a77e6f605048", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491547Z", "creation_date": "2026-03-23T11:45:31.491550Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491558Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c60b91241bb1de59b66dea8da67e28acda648876e8fcae986943fd063ce0c57b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "556bde27-78ae-5335-a0e0-7816eb7b044f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967548Z", "creation_date": "2026-03-23T11:45:29.967550Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967556Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e0afb8b937a5907fbe55a1d1cc7574e9304007ef33fa80ff3896e997a1beaf37", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "55791f08-d072-5bbb-825a-89f2f56d19b5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621158Z", "creation_date": "2026-03-23T11:45:29.621160Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621166Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ac22a7cce3795e58c974056a86a06444e831d52185f9f37db88c65e14cd5bb75", "comment": "CoreTemp Physmem dangerous drivers (aka ALSYSIO64.sys) [https://www.loldrivers.io/drivers/4d365dd0-34c3-492e-a2bd-c16266796ae5/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "557f98c7-d5b1-5880-a8cf-b249060f36ad", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818119Z", "creation_date": "2026-03-23T11:45:30.818121Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818126Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d330ab003206ce5e9828607562790aa8dd0453f6b7452f5c6053e3c6b6761d25", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "55974905-e240-5715-be13-75013c1fdd63", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.158917Z", "creation_date": "2026-03-23T11:45:31.158919Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.158924Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e4a40946e097a56b9dc105dc39add411e5ebd1a0593ba04fdfeffc07635f1e0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "55983824-3dd7-58af-9712-8eeb85f43478", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829790Z", "creation_date": "2026-03-23T11:45:30.829792Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829798Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d4f8c66b3d2ca6209e2195c8f87b6f5be13ec83e216bdbbda8c8dabe57de9e85", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "559f4539-0fec-57ad-b8ed-6089f78d7e7b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484616Z", "creation_date": "2026-03-23T11:45:31.484623Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484635Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dcf4959a9c7da3ea2bee30db220fa32e2ba7dd15148aeea915ed7d0a190dd27d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "55a99ee6-30fd-5760-81e2-3890d0471643", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479368Z", "creation_date": "2026-03-23T11:45:30.479370Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479375Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0d30c6c4fa0216d0637b4049142bc275814fd674859373bd4af520ce173a1c75", "comment": "Vulnerable Kernel Driver (aka segwindrvx64.sys) [https://www.loldrivers.io/drivers/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "55be148e-7e16-5877-85cd-5ac63aab047e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498173Z", "creation_date": "2026-03-23T11:45:31.498176Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498184Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b116e94f25a40b4b11297df6d41f282b58ea0bd802eeee167df246105b523d69", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "55c375cd-4c5a-5ad5-b059-1a1c06bb50e1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822635Z", "creation_date": "2026-03-23T11:45:31.822638Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822643Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ce7560d16469ada1f2a95e0f1499b9f50dead6fa42048511fc921e6e22514b7f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "55cd6dda-cef3-59a8-94ec-1dcc8670f171", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461012Z", "creation_date": "2026-03-23T11:45:30.461016Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461025Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d9a3dc47699949c8ec0c704346fb2ee86ff9010daa0dbac953cfa5f76b52fcd1", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "55d91bfc-5e66-5bd2-9f26-c79ef2157673", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478221Z", "creation_date": "2026-03-23T11:45:30.478224Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478234Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a233680b53bcdfba264005644e51bfa4ba9923f0a3544ed4596e28fb9f3fd682", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "55f35b79-b9c8-5c22-af5c-bd0a4d8b9eba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610546Z", "creation_date": "2026-03-23T11:45:29.610548Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610554Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "80eeb8c2890f3535ed14f5881baf2f2226e6763be099d09fb8aadaba5b4474c1", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "55f7b8b5-e1ae-5374-b5b0-4c2e24790da8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469914Z", "creation_date": "2026-03-23T11:45:30.469917Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469927Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6094d55d6c7b4fd45cd06658600cef49007bcb73d6a0ab62f6eeabaa19bfd333", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "56086a2b-a746-568b-9cb7-b6a0ca71a39a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143325Z", "creation_date": "2026-03-23T11:45:31.143327Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143332Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cc7ffe53ce3aacf3cd8b22428dfdf4eebc1ed108f9b99db01ca8fcee10357bbf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "560cd67c-5c1a-5df0-9734-4dce10ff6fe4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984390Z", "creation_date": "2026-03-23T11:45:29.984392Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984397Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b8ded5e10dfc997482ba4377c60e7902e6f755674be51b0e181ae465529fb2f2", "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "56156324-c52d-56ab-97d2-b20b8c56bc6f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459049Z", "creation_date": "2026-03-23T11:45:30.459052Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459061Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "edc6e32e3545f859e5b49ece1cabd13623122c1f03a2f7454a61034b3ff577ed", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "56222889-7449-57ff-8c3f-84a06c6d5b4f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487667Z", "creation_date": "2026-03-23T11:45:31.487668Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487674Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19b104b64874cce9c1b72817b1d5c1d2835ab1d7e1edd7d48e2f7495dc276b3f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "56397402-72ad-59b1-9e41-ddb2500fd02e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823141Z", "creation_date": "2026-03-23T11:45:30.823143Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823148Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller AntiMalware Driver (aka truesight.sys) [https://github.com/ph4nt0mbyt3/Darkside] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "563bd491-4695-50a1-ac7e-f8c8d38f7f74", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980751Z", "creation_date": "2026-03-23T11:45:29.980753Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980758Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2b4af74d74a4380130a1c46d2f1ffe112d87d9d7646540bbbd201c5bd176082b", "comment": "Vulnerable Kernel Driver (aka CtiIo64.sys) [https://www.loldrivers.io/drivers/de365e80-45cb-48fb-af6e-0a96a5ad7777/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "56436029-5d9d-53d7-b9a7-21d497b6fc60", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.815934Z", "creation_date": "2026-03-23T11:45:30.815936Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.815942Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ea2a3a6edb3c772f9d358a720f9106260ef22d339bd3c7895e7b5cda03e424d", "comment": "Vulnerable Kernel Driver (aka FPCIE2COM.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "56441626-5caa-52a6-8fbc-1a1b25e8742f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976714Z", "creation_date": "2026-03-23T11:45:29.976717Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976726Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "38dc036f6cd4917b816e6c362fab85012659225558d8a285ff53cae3ebbdff6c", "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5657b5eb-897c-5b2d-8fa4-52c8ca33a55d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605682Z", "creation_date": "2026-03-23T11:45:29.605684Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605689Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "08f80ad2c7614874b87fcf907a49c7f5a7e2816907283c19c6ff4f7b982da83f", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "565e8b69-dfbc-5d47-955f-78cdb4885619", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973654Z", "creation_date": "2026-03-23T11:45:29.973656Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973661Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5027fce41ed60906a0e76b97c95c2a5a83d57a2d1cd42de232a21f26c0d58e48", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "56637350-6aea-555e-8528-10845613db85", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604446Z", "creation_date": "2026-03-23T11:45:29.604448Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604454Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0a2d4815a03365d40b2b22981d4d8bee81bfbd983db1af30ce497fcdf77f83c9", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "56824a2c-5a67-5eaf-bc35-4b270622f0a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980237Z", "creation_date": "2026-03-23T11:45:29.980239Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980245Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "567809308cfb72d59b89364a6475f34a912d03889aa50866803ac3d0bf2c3270", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "568a2260-7822-559f-8712-91b6d9001238", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489126Z", "creation_date": "2026-03-23T11:45:31.489128Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489133Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "af8965f99b720fae41fe2516dd6a670eefb81fb75817ae0a0d2b9299226ec22c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "56998a53-b33e-5878-a59c-efb8de52bad8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480622Z", "creation_date": "2026-03-23T11:45:31.480626Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480636Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "32be3865897c1423e766f12f0844379dbf66b3453573baa7208cffa5f2863380", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "569ccba0-7180-5c9f-aab3-dff41529e892", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473005Z", "creation_date": "2026-03-23T11:45:31.473008Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473016Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ec5a5a764b10d24330442ad8c430689cf9fe3d3d5736a865024b0fe69200fedf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "569d7171-641e-5dad-8fdb-0c2e5086d9de", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464762Z", "creation_date": "2026-03-23T11:45:30.464766Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464774Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c89c907b7525b39409af1ad11cc7d2400263601edafc41c935715ef5bd145de", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "56ac63a3-f3c1-542d-8ed2-361423412c15", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817097Z", "creation_date": "2026-03-23T11:45:31.817099Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817105Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "273fb23894e8fc17634c298d924c95bc49f7dddb11a7b9aa6204bb377371445e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "56bb8a44-0b37-5722-8d54-42f8091f25fe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454358Z", "creation_date": "2026-03-23T11:45:30.454362Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454371Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4", "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "56c72148-3d6a-5bc0-b96b-42db4ccd9943", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819550Z", "creation_date": "2026-03-23T11:45:30.819552Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819557Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "64a8e00570c68574b091ebdd5734b87f544fa59b75a4377966c661d0475d69a5", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "56c87519-c83c-54bf-86b5-35d2f50f8a13", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972301Z", "creation_date": "2026-03-23T11:45:29.972303Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972308Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "94b42f99cb2ac4db601a3759afe374168bad1714bd48662d74fed69099517a65", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "56cd4429-61e3-527d-af02-afd9fd8fc001", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156466Z", "creation_date": "2026-03-23T11:45:31.156468Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156474Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "15a4c8495fc6e8d94c7b7a2f8a05ed92a563b51f915929ef2e46261ac5793a07", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "56d89bbc-8281-50e1-b537-f63b2906bda9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823179Z", "creation_date": "2026-03-23T11:45:31.823182Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823190Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "10604ddc07eb097b4ec8cfaff0b94f35722baab0e8e4ac66fecf2aa2b45a5c1a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "56ec96f0-ffc5-5419-97a3-134ed8446ac1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492785Z", "creation_date": "2026-03-23T11:45:31.492787Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492793Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1fd5786000e1c8e0c60129b3acfe9ae0128f8c4fadb5308ed8e05207c7dffecc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "56ee56dd-cd2f-5962-ada6-e3af6b0ad354", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482663Z", "creation_date": "2026-03-23T11:45:31.482667Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482677Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9347d7132656d9e9996aef18700e0cc8abb3e88b082b78ed1ece49c5614cb745", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "56fedf0c-150a-5ed8-9ca6-d1fac98d887f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159768Z", "creation_date": "2026-03-23T11:45:31.159770Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159778Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0ccab572ef2e48b88b5771be6f1c8edbbbf726ab25fcf104ac7cc309ab5d0cb1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "57064d2b-418b-50c2-b59c-2194f0a14f27", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147824Z", "creation_date": "2026-03-23T11:45:31.147826Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147831Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5a10f757dff2b419be2a656edb466d23dd04f1e3bcba39f8d5b371b9a7075eff", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5719b49c-488e-5201-91ae-dddb68c22ae9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808939Z", "creation_date": "2026-03-23T11:45:31.808942Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808954Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "add7cf1ac2d779e1c976e9f71ab09fbf907c1ba6e77e8c8d55c5dab4d73a2d4a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "571a10f6-eeed-5b34-93ad-7a5f4d74315f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472314Z", "creation_date": "2026-03-23T11:45:30.472318Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472327Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8a0702681bc51419fbd336817787a966c7f92cabe09f8e959251069578dfa881", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "572affc0-f4b9-514d-9c5a-7a9600d5bc75", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154282Z", "creation_date": "2026-03-23T11:45:31.154284Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154289Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f7267ed91737dfcf283c524f8f77119afc4ca9dd679f35fafe1187be8f815f6e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "572d304f-d972-5498-9537-6462a3a34e91", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969274Z", "creation_date": "2026-03-23T11:45:29.969276Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969282Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ad8ffccfde782bc287241152cf24245a8bf21c2530d81c57e17631b3c4adb833", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "57325f85-54a4-5fa6-b985-392f892907c5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971968Z", "creation_date": "2026-03-23T11:45:29.971970Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971975Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19bf0d0f55d2ad33ef2d105520bde8fb4286f00e9d7a721e3c9587b9408a0775", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5733b3d0-b9e9-5d21-a902-a154077b3dd6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160552Z", "creation_date": "2026-03-23T11:45:31.160554Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160560Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "89e3b48604ac98da4da740008b29295ad622b15a2f7eeec1fd5317d926ebe5c0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "57395476-b9bf-5ab1-843f-744ed5960536", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608831Z", "creation_date": "2026-03-23T11:45:29.608833Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608838Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7e5abe4530eff3838d44516f95c15d8b3ec6cec44ca7b67998e50641c939d12a", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5740ede6-c4bf-5a59-bafc-b83fa883e0d3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608265Z", "creation_date": "2026-03-23T11:45:29.608267Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608272Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "85d21ad0e0b43d122f3c9ec06036b08398635860c93d764f72fb550fb44cf786", "comment": "Vulnerable Kernel Driver (aka STProcessMonitor.sys) [https://github.com/ANYLNK/STProcessMonitorBYOVD/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "57459303-ac3a-5571-8b1f-f184176e461d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490540Z", "creation_date": "2026-03-23T11:45:31.490542Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490548Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea32fb5b27bc5cf85af687d61837cee2ac67d2412c58ac32a7375afc8a7b3d39", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "574a0095-9367-5774-b5ba-bc362c9beac9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142379Z", "creation_date": "2026-03-23T11:45:31.142381Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142387Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "27ec009fd86898d1319bfe14483d131155e4b929fc8362cda1ab024960725474", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "574dc119-3840-538c-a80a-73ceff7626d2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495799Z", "creation_date": "2026-03-23T11:45:31.495801Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495807Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e0872cd9f466ee89a64da287dd8dad21e0e73fd881c99f4c8200d76dcda31430", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "57649369-37b8-5350-bc75-192d7e9425cd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817817Z", "creation_date": "2026-03-23T11:45:31.817820Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817829Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4d95a9e6997a67a6a0d585f07615677820e018e8ed1fa34e50acf0d46cbcfbf1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "57661967-aa58-5c12-81fd-887a50fdafb8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610245Z", "creation_date": "2026-03-23T11:45:29.610247Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610253Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0d3790af5f8e5c945410929e31d06144a471ac82f828afe89a4758a5bbeb7f9f", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "576e210c-edd3-53d5-886a-9f1a0617b5b4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142036Z", "creation_date": "2026-03-23T11:45:31.142038Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142044Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6f75699c821358703cf59589e13d48e83d51dcb051a4af138cf0e1f7d6d92183", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "577057c5-23f1-5cf1-b8a6-45190e460df3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143006Z", "creation_date": "2026-03-23T11:45:31.143008Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143014Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "393ff33aa9e04350277df6435f9d132f28e8af72668cc7d1db3644601dd22a47", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "577371aa-1a00-587d-af4a-269529be1886", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477756Z", "creation_date": "2026-03-23T11:45:30.477759Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477803Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fe50be756c689ef56976d96135486ee66192a4de0b82b0d52521978fc589f6fa", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "57784f2e-1743-5405-a96b-a9ddbed4ae6b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486747Z", "creation_date": "2026-03-23T11:45:31.486750Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486758Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d8a03dde054c42419614e7649b9453368130accaf814baad15464eaef4e8e9b3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5779cade-e444-5bde-aae0-037ec951d655", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609094Z", "creation_date": "2026-03-23T11:45:29.609096Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609101Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8b92cdb91a2e2fab3881d54f5862e723826b759749f837a11c9e9d85d52095a2", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "577cbf9a-0fc9-5e54-8006-61bfc349be68", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820805Z", "creation_date": "2026-03-23T11:45:31.820808Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820817Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9c087844540dd9583221e2e5d10b1697cca3b8dfe1d1bffe0daf33cebcc7c524", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "57830ccb-a899-597a-9e62-dd2401600958", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474054Z", "creation_date": "2026-03-23T11:45:31.474058Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474069Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "72d1c35e3a767ed6f6363e51e1c63f2fbfd076f7b2f2d286a64cd753122a33cb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5786eae6-a35f-54e9-a5d8-320c2399bcf4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477820Z", "creation_date": "2026-03-23T11:45:30.477824Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477833Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "253a549a1e13a5a7e242ac1b39d5bebc61dcec7794171a58093700ae760d4b71", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5787a165-db37-5a20-bead-f5edb69594c9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155506Z", "creation_date": "2026-03-23T11:45:31.155508Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155513Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bb0b66a978846cb92f09b2badcc5ef4a473383748e94645f81851794a0f27350", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "578ac9b1-9fe0-5dcf-a96e-02585fa08cb9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817661Z", "creation_date": "2026-03-23T11:45:30.817663Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817669Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6575ea9b319beb3845d43ce2c70ea55f0414da2055fa82eec324c4cebdefe893", "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "578e31a5-9066-5ae2-b2f6-06e35c3e19b1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811186Z", "creation_date": "2026-03-23T11:45:31.811189Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811194Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "31b4ddfe88418a83c71ce8d882403587caa02b2adeaedd3a24ece3863987451c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "579c7a5f-58cd-5f07-8a77-290c16ea399c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461296Z", "creation_date": "2026-03-23T11:45:30.461299Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461308Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "88fb0a846f52c3b680c695cd349bf56151a53a75a07b8b0b4fe026ab8aa0a9af", "comment": "Vulnerable Kernel Driver (aka sfdrvx64.sys) [https://www.loldrivers.io/drivers/5a03dc5a-115d-4d6f-b5b5-685f4c014a69/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "579dffb8-b7b9-59d1-b3b3-3838a865d62a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973776Z", "creation_date": "2026-03-23T11:45:29.973778Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973783Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7837cb350338c4958968d06b105466da6518f5bb522a6e70e87c0cad85128408", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "57a32dc1-aa48-5e1e-86f3-9d04b0502187", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453606Z", "creation_date": "2026-03-23T11:45:30.453610Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453619Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "677ec2df835069678876defc3ef5ff73f463ad39e8466d76632d06f6a29a494f", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "57adfffe-1eea-5ef0-8b2f-60401cf49f18", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977107Z", "creation_date": "2026-03-23T11:45:29.977109Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977115Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b17507a3246020fa0052a172485d7b3567e0161747927f2edf27c40e310852e0", "comment": "ASUS vulnerable VGA Kernel Mode Driver (aka EIO.sys) [https://www.loldrivers.io/drivers/f654ad84-c61d-477c-a0b2-d153b927dfcc/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "57b0b2e2-69ff-51b9-bec1-18c2f17e2a40", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462228Z", "creation_date": "2026-03-23T11:45:30.462231Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462240Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "76718b87861bf6e502aa95ea85e378326c8db1759fe010c941b26cba3c881133", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "57b33225-5119-53ab-a6be-b6f8dd45035c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985539Z", "creation_date": "2026-03-23T11:45:29.985541Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985547Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5ed22c0033aed380aa154e672e8db3a2d4c195c4", "comment": "Malicious BlackCat/ALPHV Ransomware Rootkit (aka fgme.sys, ktes.sys, kt2.sys and ktgn.sys) [https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html] [file SHA1]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "57b68ae8-9a2a-5132-8dc0-5f2598228c1e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475988Z", "creation_date": "2026-03-23T11:45:30.475991Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475999Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6cf1cac0e97d30bb445b710fd8513879678a8b07be95d309cbf29e9b328ff259", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "57b73945-b57e-52a7-a8a1-a4f6075d183b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454241Z", "creation_date": "2026-03-23T11:45:30.454244Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454253Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "31867db933ed4407d22de8f0ef9b52958c40c63c2328e1863dfd3fe58d3b53c3", "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/bc5e020a-ecff-43c8-b57b-ee17b5f65b21/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "57c1f843-528d-5703-ba03-34b564d84073", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818013Z", "creation_date": "2026-03-23T11:45:30.818015Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818020Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "125e4475a5437634cab529da9ea2ef0f4f65f89fb25a06349d731f283c27d9fe", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "57d06bbc-4195-5b6c-9e90-9615a68c7d13", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813220Z", "creation_date": "2026-03-23T11:45:31.813223Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813230Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d0d3af81c9f26ffce51b6e32a099327b357b1f16314e27e8c27a814d0d209cc3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "57d8a483-9dfc-5c3a-ba16-4c5261b85f25", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821744Z", "creation_date": "2026-03-23T11:45:31.821747Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821755Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "65b4d38b9cf698692870ce57820d7fc2e2560722e27b4cc2f24da9e1d1d247d3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "57e052da-4a12-5cf3-bfe1-231486a223ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150426Z", "creation_date": "2026-03-23T11:45:31.150428Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150434Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0fb2513c4a98e8102359a7e97453e0ab8518fad628fba10669d43fdda64acbf9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "57eade01-543d-5b23-970c-e0a47db8166c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488310Z", "creation_date": "2026-03-23T11:45:31.488312Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488317Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7e9e002513b5263e1f8918ed433280a8af2c585c6ea63326f07d08fe355b5eda", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "57fb1824-3c0f-5c2d-b6e1-6d8437480fe7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462114Z", "creation_date": "2026-03-23T11:45:30.462117Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462126Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b7956e31c2fcc0a84bcedf30e5f8115f4e74eed58916253a0c05c8be47283c57", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "57fc572c-fe03-559e-9268-fe72f2bc5057", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983815Z", "creation_date": "2026-03-23T11:45:29.983817Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983822Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "25a0854ef48a4dfbc7f04e94d2b11757e3613b241d39d46a19cb389ce42887e4", "comment": "Vulnerable Kernel Driver (aka GLCKIO2.sys) [https://www.loldrivers.io/drivers/52ded752-2708-499e-8f37-98e4a9adc23c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5801a5bc-70bd-568c-a495-f291253a4cec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622157Z", "creation_date": "2026-03-23T11:45:29.622159Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622164Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7fd788358585e0b863328475898bb4400ed8d478466d1b7f5cc0252671456cc8", "comment": "NamCo vulnerable driver (aka smep_namco.sys) [https://securelist.com/elevation-of-privileges-in-namco-driver/83707/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "580cc271-8a1f-55de-a2c7-7fac586ff885", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470756Z", "creation_date": "2026-03-23T11:45:30.470759Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470767Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "89e579ccbbd834bdd1d5b394843b6110813849000d9116489f14c146cbe66811", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "58229230-e4ba-5196-a4be-3b710d4f7f20", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816526Z", "creation_date": "2026-03-23T11:45:30.816528Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816534Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b508921632475b1aadf6194b2f3feea72959b60675dcb44bbc3f8e363f8485ea", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "585874ee-bf20-525b-89a0-8bbb4e2909f7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604051Z", "creation_date": "2026-03-23T11:45:29.604054Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604060Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "74f9975737dd078c75048bb01549e7678eb61c065d1f50294b80caeb65cbd65e", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "58660078-0ae2-56ec-8fbf-8a2190b749bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830843Z", "creation_date": "2026-03-23T11:45:30.830845Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830851Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e898abc1a79b301909f5ccf62260a359aa3822b5754b6ab2f1becfda4a4bee12", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "58667231-93f3-57fe-9a94-7f8c6434d904", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829008Z", "creation_date": "2026-03-23T11:45:30.829010Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829016Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6fb583cf195231e5dc14e149541f525b1df8e2c0ee73d7b34d006dd2300b56a4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5867df2a-5d7e-5906-b051-bef1bef153dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159366Z", "creation_date": "2026-03-23T11:45:31.159369Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159374Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dfd70d4bb19abf412ac263f80350b604b1ca22bc0e48dd4c29ec9e9808335c3f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "58686c4f-caa8-5c43-985b-0bee6f686930", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459077Z", "creation_date": "2026-03-23T11:45:30.459080Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459088Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2fa78c2988f9580b0c18822b117d065fb419f9c476f4cfa43925ba6cd2dffac3", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5871d2ac-e8c4-53fe-97dd-cf961d904783", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971985Z", "creation_date": "2026-03-23T11:45:29.971987Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971993Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2d2c7ee9547738a8a676ab785c151e8b48ed40fe7cf6174650814c7f5f58513b", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "587e6439-2826-5c81-b5b2-129d5956020b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612180Z", "creation_date": "2026-03-23T11:45:29.612182Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612188Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "39937d239220c1b779d7d55613de2c0a48bd6e12e0214da4c65992b96cf591df", "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "588d01d8-5a4c-5bd3-b548-99edb5697539", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606777Z", "creation_date": "2026-03-23T11:45:29.606779Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606785Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea765eb8845fc90215975814f8da48da787f1a1449d58af0b17cb58d2af5c08e", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "58931eaa-aeb4-54b1-a367-dea085972f97", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612385Z", "creation_date": "2026-03-23T11:45:29.612387Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612393Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "55a1535e173c998fbbc978009b02d36ca0c737340d84ac2a8da73dfc2f450ef9", "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "589374ed-96af-54bd-bf66-46b49ad60711", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970002Z", "creation_date": "2026-03-23T11:45:29.970004Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970009Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9e51062d4249945e77c7d3fdecc9797ffc38017465c8068a5f1296bf85ae558c", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "58ae260e-9338-5f0d-a907-7350e54ee896", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969400Z", "creation_date": "2026-03-23T11:45:29.969402Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969407Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5cd7378c57afa9260976879b58b32433c0e2d52fe0cebe06e647e1165c93f4a8", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "58c0fcfd-c5b4-5eb1-9d20-d96187f25676", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145621Z", "creation_date": "2026-03-23T11:45:32.145623Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145629Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4e99d454a56845bb0e622cfd68b895b7868ef7e8a43424e5b7b803f5a2d25eca", "comment": "Vulnerable Kernel Driver (aka psmounterex.sys) [https://www.loldrivers.io/drivers/0f64bf7a-2ef2-45ea-af7d-4e7c87d98777/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "58c32a46-5fd9-5664-b82b-0e9da31d45c0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152831Z", "creation_date": "2026-03-23T11:45:31.152834Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152843Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "48c7215dacce2bed9465430c8bf805418e02a4da4435014ffdc75d4a5c07a496", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "58c85a4e-9092-53fd-949a-f88bc337233c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969186Z", "creation_date": "2026-03-23T11:45:29.969188Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969193Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7ad0ab23023bc500c3b46f414a8b363c5f8700861bc4745cecc14dd34bcee9ed", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "58ceb588-18c5-5b69-9dce-dcc370ac1c79", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818056Z", "creation_date": "2026-03-23T11:45:31.818059Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818067Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9e84f600c3ef63442368ea7dc9df85168c04d573ea765153a9cbf18e41dfc20f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "58de1f8a-8e66-54d8-a340-7d04fa47cb24", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604428Z", "creation_date": "2026-03-23T11:45:29.604430Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604436Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "425406152227f499013a6c3fbcf7700d98351a30e7813a30f0003f48eceb08ec", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "58f31ee9-16a9-58e1-b2db-0365085fd091", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822131Z", "creation_date": "2026-03-23T11:45:30.822133Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822140Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "87279855c17e3924ebfa07f51c1312d0e107f990f4ae174807ac4814da6179ac", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "58fa725a-515e-58a5-a344-d8d9dfa82b9e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984209Z", "creation_date": "2026-03-23T11:45:29.984211Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984216Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "950a4c0c772021cee26011a92194f0e58d61588f77f2873aa0599dff52a160c9", "comment": "Vulnerable Kernel Driver (aka AsrOmgDrv.sys) [https://www.loldrivers.io/drivers/3f39af20-802a-4909-a5de-7f6fe7aab350/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "59071458-e0c8-54b9-b018-7f25f9004667", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606488Z", "creation_date": "2026-03-23T11:45:29.606490Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606495Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "57ecd1bb823cb213dc801950a3495d14359694e52cadbad51e78f0acaae2b98a", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "590a02c0-510a-5e5e-ab1d-c56790e4452f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979359Z", "creation_date": "2026-03-23T11:45:29.979361Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979367Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5911a81c-9aef-5b11-91e7-c7409719e707", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832407Z", "creation_date": "2026-03-23T11:45:30.832409Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832414Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "16192d98b68513c3d62c313feb5eeace472439dea92fd0aca326f162eeffae5a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "591b5214-159e-5624-8cdc-aded219f4db8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972090Z", "creation_date": "2026-03-23T11:45:29.972092Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972097Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cff9aa9046bdfd781d34f607d901a431a51bb7e5f48f4f681cc743b2cdedc98c", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5920aa1b-4245-55af-8d34-a88972d9c090", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816962Z", "creation_date": "2026-03-23T11:45:30.816964Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816970Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c03433ea3376f6f099ad77a4ce59187817d1bc0c3c0f55fd931320d909dd920", "comment": "Vulnerable Kernel Driver (aka CP2X72C.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "592228c1-9408-5faa-9fd2-a8fa4cfc129f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974034Z", "creation_date": "2026-03-23T11:45:29.974036Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974041Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e3eff841ea0f2786e5e0fed2744c0829719ad711fc9258eeaf81ed65a52a8918", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5933d707-bd6c-55b4-9959-a9f7ae2bf77f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159792Z", "creation_date": "2026-03-23T11:45:31.159794Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159799Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "05814beffff44b7713387f5595ba2f9a749e81d693a90e3c4e2af5f78cf049d8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5946badf-e989-571f-b024-7eb249a810c8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471047Z", "creation_date": "2026-03-23T11:45:30.471051Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471060Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3327d9e938d4ae29de110e219662ce04932935a7886e99feb508ffe77c9e00c2", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "594740a1-1bcd-5246-8840-5e6d28a1c045", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484902Z", "creation_date": "2026-03-23T11:45:31.484905Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484915Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cf652a6b20838d070f818f75a052a8194243cd0d25b047250905d6f8699f2c9e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "59557248-f290-5621-bfeb-c548b67fe336", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821771Z", "creation_date": "2026-03-23T11:45:31.821774Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821783Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6d2edb6e885dbbce00b2d8ce9cbfd41eebd8f31c791ca6399a85d72b7acf09a0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "595d949a-9edc-5c72-afa4-d8feaf6a0018", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968775Z", "creation_date": "2026-03-23T11:45:29.968777Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968782Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fba53fa5825b568ce775e78bf2325f5444d2cad9ca96cb1b949de201c5186faf", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "59684753-7d7d-5170-944b-c2e3b6c906fd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829954Z", "creation_date": "2026-03-23T11:45:31.829958Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829966Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e7626db66e81a226e9d8093e02bd762c8bd06197f26fd500430231fb0d992708", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "596d22ed-6126-54f4-8101-93f3d7e60dcb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150841Z", "creation_date": "2026-03-23T11:45:31.150843Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150848Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a4d4b10032367ccfb43fd3a31c7fe20b21a0e858071a9e287afcb6530a6e85af", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "596fac43-c0f6-55a3-a44b-91dae0c09bb6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145503Z", "creation_date": "2026-03-23T11:45:31.145505Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145510Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab7b7cc9a42eed6c9e35eab55a8b9d49afabce8018f921f51506b16e52c56648", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "597bac2f-afcc-5ec3-81d9-fff27a6a4919", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.147131Z", "creation_date": "2026-03-23T11:45:32.147134Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.147139Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47ec51b5f0ede1e70bd66f3f0152f9eb536d534565dbb7fcc3a05f542dbe4428", "comment": "Vulnerable Kernel Driver (aka BdApiUtil64.sys) [https://blog.talosintelligence.com/byovd-loader-deadlock-ransomware/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5983dee3-180d-5e4b-88f9-150acc679834", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146600Z", "creation_date": "2026-03-23T11:45:31.146602Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146608Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5c71c2d36e4ec7e5a99dfa343cd02da07c21ac95fe013f16ab12e653d5bc29d8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5998d8fd-a0e1-57e3-953e-8a17f7a4dc58", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495337Z", "creation_date": "2026-03-23T11:45:31.495340Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495349Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "20f199fb2ab7e0fab4b6acf42758eef858e92fb9bdb393ef27b2cdac4e2c7cd9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "59a15016-df38-5aa3-ac03-b50fe2847693", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476738Z", "creation_date": "2026-03-23T11:45:30.476742Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476751Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3b22adc61900fbdc26629dc1135344d878f6a368ec6df0d4ec374559cb669182", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "59a6c8f3-81d6-51b7-a65e-2cb4970fd828", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985100Z", "creation_date": "2026-03-23T11:45:29.985102Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985107Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "42de79eb237293befb1b954beaf92b832f947195e3c359048aaa464ead56b62d", "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "59b0ec94-a57d-5ade-ad45-b89bb8d2777c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818846Z", "creation_date": "2026-03-23T11:45:31.818849Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818857Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d4a58f058a2a1dfa89c48a813bbca325f850e90766f7061b664c1c7ea0077c2e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "59b9fdbd-9ee7-5799-bfe6-c3f22d1f82f8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814944Z", "creation_date": "2026-03-23T11:45:31.814954Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814963Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "34491f04384ba04126640ded17704d1aab2a1db415c93fbc718b6c680fc8a12b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "59c11618-9b7a-5c9c-9313-78e1fc587563", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824084Z", "creation_date": "2026-03-23T11:45:31.824088Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824096Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "90e329a85e21dea3cb0726b2377e43bb2b7af4549caf6f8bd90526af4863b35c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "59c22c02-d921-5ffd-b1ab-6f577c9c0697", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619337Z", "creation_date": "2026-03-23T11:45:29.619339Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619345Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "478917514be37b32d5ccf76e4009f6f952f39f5553953544f1b0688befd95e82", "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "59db818d-3cad-5d9e-a7a2-04a41591eb94", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823572Z", "creation_date": "2026-03-23T11:45:30.823574Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823580Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f5f9c3e3bf7efab4013d1db04e09abc90f1c7e2eaf0709ab8dc75b1ab9c2ff91", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "59f0ef64-0889-5a83-b08a-ac2c3c625bd0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491033Z", "creation_date": "2026-03-23T11:45:31.491037Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491045Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cde0c2744775258f44f1c282220501a98ad3f32566b77e926475c50477f1f653", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "59f2f54b-d430-5bc3-898b-508da5f424d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981506Z", "creation_date": "2026-03-23T11:45:29.981508Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981513Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "af298d940b186f922464d2ef19ccfc129c77126a4f337ecf357b4fe5162a477c", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "59f4cb30-d3ac-57f5-b3bd-8578242f54ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607765Z", "creation_date": "2026-03-23T11:45:29.607767Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607772Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aafb95a443911e4c67d4e45ffa83cca103c91b42915b81100534dc439bec0c1b", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a00cbc4-24b1-5572-9730-9edd2dc28ac4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825915Z", "creation_date": "2026-03-23T11:45:30.825918Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825926Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "da2d5db1dde9313c86e08591f58fa10344ec32173d293376b8838cdf4206dda8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a034ef9-2cfb-5ae3-bd5b-00156639cee0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.986136Z", "creation_date": "2026-03-23T11:45:29.986138Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.986144Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e6a7a497010579fde69cd52bed8de28db610c33bbc5ce0774459dcf64657b802", "comment": "Vulnerable Kernel Driver (aka directio.sys) [https://www.loldrivers.io/drivers/a2c3f6e9-25a5-4b75-8c6b-ad2d4e155822/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a1fc55a-9f65-5213-9f99-a4e2e163a119", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828825Z", "creation_date": "2026-03-23T11:45:30.828827Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828832Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bd96a63f6fdc50f67cd7cbc5e2bd8173c014254a80dd30f89474ac607f80a63a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a255d95-da22-5b78-8cfc-c2048fb34254", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823452Z", "creation_date": "2026-03-23T11:45:30.823455Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823465Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9c1ca510e02e5b44f0999db444da05d4b1883621043ca396b8a41e3271e84602", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a33df7c-5145-58a3-873a-369dc71a051e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969733Z", "creation_date": "2026-03-23T11:45:29.969735Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969741Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a801e12c32c0eb197b3cc507d096afc16a32dca6bc71d080e1ae2c17ad13b2ca", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a383163-6778-524b-90fa-ff5513e087aa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817498Z", "creation_date": "2026-03-23T11:45:31.817500Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817505Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "556356bb664b9f3a221075c070e3eddc0470eb5e38efaf2a8bdac6ed0c4a3159", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a402dbb-5c0c-50ef-8168-28b66a807f56", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462919Z", "creation_date": "2026-03-23T11:45:30.462922Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462931Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f03f0fb3a26bb83e8f8fa426744cf06f2e6e29f5220663b1d64265952b8de1a1", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a409913-94aa-5b80-bcc7-41f272dfdfb0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969768Z", "creation_date": "2026-03-23T11:45:29.969770Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969775Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "60ae64ade82e9364e95f779bbf950571484aa833ece6837489329517012c7757", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a4957aa-f52d-57d5-a93d-c649dca517f7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473484Z", "creation_date": "2026-03-23T11:45:30.473488Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473497Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "baec06b150e0298136275860ecb0aae08a9bd731ef14d255fc729c4bd7e4d832", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a4fcbe9-01a9-55ef-9a40-87531ad89cea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831531Z", "creation_date": "2026-03-23T11:45:30.831533Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831538Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fead8e6283e71d49cdf327f467bd26aa68db79434c82851be34e7652a20a5258", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a5c39f0-e244-5356-a900-4da6fb1636e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985339Z", "creation_date": "2026-03-23T11:45:29.985340Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985346Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c9b49b52b493b53cd49c12c3fa9553e57c5394555b64e32d1208f5b96a5b8c6e", "comment": "Dangerous Physmem Kernel Driver (aka Se64a.Sys) [https://www.loldrivers.io/drivers/d819bee2-3bff-481f-a301-acc3d1f5fe58/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a5f081d-c6ea-55a1-80e1-02928dc58158", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611079Z", "creation_date": "2026-03-23T11:45:29.611081Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611086Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a50cf5d2189991851565fa73e205b0b56759de78ff415d0f2d3186fb6228b15f", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a5f3bbc-f802-55a4-997f-1e15288d46d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981745Z", "creation_date": "2026-03-23T11:45:29.981747Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981753Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e", "comment": "Malicious Kernel Driver (aka daxin_blank4.sys) [https://www.loldrivers.io/drivers/f8bddc8b-49b9-41f7-a877-d15ec3f174f9/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a608dd0-ae3f-58a1-97cd-df397c6123f9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819930Z", "creation_date": "2026-03-23T11:45:30.819932Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819937Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "647f209aac750ba26bda9836afa5ef1370e4a62b5c331606086b1c4c92e10841", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a675fe1-94f8-5d56-a4f5-ce1e2c156487", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818416Z", "creation_date": "2026-03-23T11:45:30.818418Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818424Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "51f002ee44e46889cf5b99a724dd10cc2bd3e22545e2a2cb3bd6b1dd3af5ba11", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a716bec-b6e8-5ab9-b90b-7f3111948cfa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974575Z", "creation_date": "2026-03-23T11:45:29.974577Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974582Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9bea1a92c747c203cd3e370f422ed6023787817a5495385e5ca473ef59396a2e", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a7df18d-1b7d-517a-b992-0deae3d4c736", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824562Z", "creation_date": "2026-03-23T11:45:30.824564Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824572Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a05a5e4ef61ca36ec26c307986f97ddacdf0b8c6d49ba585af7f6c1418e15580", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a875926-b743-5bf0-95bc-90d0d60352a0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474546Z", "creation_date": "2026-03-23T11:45:31.474550Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474560Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9fc59fa28750eca8c9b1d0430f8dae06fb47a23ae5ccaf00382ff39404dd0ce3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a87b0e1-2b4b-5f7f-b853-ca10d1ee5d40", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489074Z", "creation_date": "2026-03-23T11:45:31.489076Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489082Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6b300090af83ca99586f57e7866152c457ff04845af365b1b556f26b827f07c2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a8d8298-13c9-555f-8d45-667e01396666", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465029Z", "creation_date": "2026-03-23T11:45:30.465032Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465041Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "beef40f1b4ce0ff2ee5c264955e6b2a0de6fe4089307510378adc83fad77228b", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a901fd4-accf-5903-9b5f-842ca54d511e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146583Z", "creation_date": "2026-03-23T11:45:31.146585Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146590Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2379c61d731ca8c5b2e37b59829ab936cb89b399dcd0704bf3e5b6623a94aa74", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a94a125-7f03-5ae0-8b14-aa7ad9fe6e7b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500761Z", "creation_date": "2026-03-23T11:45:31.500765Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500773Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b13a2984b2010516a393de79655ee50b11c820e81c3d48c77994f6ae158e264e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a975e71-e4b7-5ae0-a002-bf1d7a4df225", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472664Z", "creation_date": "2026-03-23T11:45:30.472668Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472677Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8e92aacd60fca1f09b7257e62caf0692794f5d741c5d1eec89d841e87f2c359c", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5a9e8640-da7b-509c-9409-e448da121355", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472349Z", "creation_date": "2026-03-23T11:45:31.472352Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472360Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dc21d405f62d38621816523ef0d56479bcc72b7713a133d14b304db037727f74", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5aa9af00-e2ad-54f6-a877-2d0fe8fa2861", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472438Z", "creation_date": "2026-03-23T11:45:31.472441Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472450Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e80b9e2396917ea371114060a132279a1392cfa311c0980b96b5ba0e523e047f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5ab4f810-e734-5349-98f1-78e936ac28ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828472Z", "creation_date": "2026-03-23T11:45:30.828474Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828479Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8c01f61d0a03d2a02107e921f8f23884cf053c5f5be991b5136d6958ffd94863", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5ab8913d-ade1-5174-8bac-5f220c4aca6e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981908Z", "creation_date": "2026-03-23T11:45:29.981910Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981916Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a3e507e713f11901017fc328186ae98e23de7cea5594687480229f77d45848d8", "comment": "Vulnerable Kernel Driver (aka b1.sys) [https://www.loldrivers.io/drivers/69b924ab-2e4a-4eae-8091-4151c238136e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5ab8d85b-61af-50a7-bffc-510e23430e23", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609482Z", "creation_date": "2026-03-23T11:45:29.609488Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609493Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bb0063e65c44da66d705d25121af09b641070219c174f5d83e288ba8fe59e46f", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5abb8057-4929-5291-8210-9bf1c36b9d57", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811524Z", "creation_date": "2026-03-23T11:45:31.811526Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811532Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "701a88235e70f19461935f0fbfd4bcecdf654c0b91b20b0a968b0e7d9b40713c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5ad75cc5-a900-5a39-ac3c-59098e7bf83a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620693Z", "creation_date": "2026-03-23T11:45:29.620695Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620700Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "84bf1d0bcdf175cfe8aea2973e0373015793d43907410ae97e2071b2c4b8e2d4", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5add6a82-ff79-568a-80d8-0c2de6a824dc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821499Z", "creation_date": "2026-03-23T11:45:30.821503Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821511Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "13ae3081393f8100cc491ebb88ba58f0491b3550787cf3fd25a73aa7ca0290d9", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5aedb076-01ca-5528-a5c1-2c15cbf4fd6e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148154Z", "creation_date": "2026-03-23T11:45:31.148157Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148166Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "37f755dcb733a06bbc90206da0ca94078e237cb0602d4050f7679946b6f93738", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5af9d7b9-034b-554e-9302-ac2c8e3e21bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470461Z", "creation_date": "2026-03-23T11:45:30.470465Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470474Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9718a5e78f5015a7a9f66c33ae31a6df37535f33039380c6edc103e3a9dbc5ab", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5afc9956-b8ac-543f-979a-c4031cfa1d67", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813195Z", "creation_date": "2026-03-23T11:45:31.813198Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813205Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd717e3f0cbdcd839a816d133f07b331f6219259071e33fb8ba7f0a6258d56a5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5afc9eaf-a71f-5a70-a191-06b6cefe6be6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155906Z", "creation_date": "2026-03-23T11:45:31.155908Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155914Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "99a7c55161c2d016cc3eb8ce3265adeddb877692642940207ca5de6a703c0a19", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5b041cd6-35ba-5989-a51a-e4d82ad9bd37", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144688Z", "creation_date": "2026-03-23T11:45:32.144690Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144696Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8248306bcc5fae20fd4f3d5c44f962c85cddbe020b34a1799350ce2034154b7d", "comment": "Malicious Kernel Driver (aka windivert.sys) [https://www.loldrivers.io/drivers/45a31a17-f78d-48ec-beba-74f6bfc5f96e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5b07790c-7e11-59dd-a07c-17410bd4f478", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460794Z", "creation_date": "2026-03-23T11:45:30.460798Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460806Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d7a61c671eab1dfaa62fe1088a85f6d52fb11f2f32a53822a49521ca2c16585e", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5b0cb0a5-44ea-5019-a4bb-6575ec428c0d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479475Z", "creation_date": "2026-03-23T11:45:30.479477Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479483Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee8ee16198dd8eec8d5fbb7f98f64bb849b2dfcf652cc102f4cdc63a4551549f", "comment": "Vulnerable Kernel Driver (aka segwindrvx64.sys) [https://www.loldrivers.io/drivers/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5b180cca-d32d-5a97-8a19-39ef0930801e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453842Z", "creation_date": "2026-03-23T11:45:30.453845Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453855Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "11dcfa779763dd6e26344b32dd779bb49be470a7b9b43b5f03738c17fed06aa8", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5b1f520f-251e-5247-a7d0-d3cdf941edc0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968458Z", "creation_date": "2026-03-23T11:45:29.968460Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968465Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "033a14d3863dcb5b990788697a1096fd1f03586694b7872bb47826953f69c9f0", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5b20b6cd-95f1-5be4-8e81-17f616783845", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820373Z", "creation_date": "2026-03-23T11:45:30.820375Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820380Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6f806a9de79ac2886613c20758546f7e9597db5a20744f7dd82d310b7d6457d0", "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5b3c2c9a-acc6-5b21-9a5c-5b834cc9d31f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826332Z", "creation_date": "2026-03-23T11:45:31.826335Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826340Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "689d7260ad115a4d5d45cbd44769208925a1441fe5b0d1ba15f9b14371f936e8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5b40c88f-711a-58ee-a80f-01194192dacb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470961Z", "creation_date": "2026-03-23T11:45:30.470964Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470973Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "01096e6d09cad1af557561f678e70434355a4d07a94ba97774957c16e87bab6a", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5b4b6ecc-05b1-584e-8db0-0e152ef00ec1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471469Z", "creation_date": "2026-03-23T11:45:30.471472Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471482Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "db73b0fa032be22405fa0b52fbfe3b30e56ac4787e620e4854c32668ae43bc33", "comment": "Vulnerable Kernel Driver (aka AsIO.sys) [https://www.loldrivers.io/drivers/bd7e78db-6fd0-4694-ac38-dbf5480b60b9/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5b4cb740-90d3-54ec-be83-ca9474f0faf7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457041Z", "creation_date": "2026-03-23T11:45:30.457044Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457053Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1fe70267698ba60012ca4c2c0f21325236bafc7b42fa977a09afa6a0c5ed3784", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5b72ffda-4f5b-5add-8e10-10fe0ee2f202", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823446Z", "creation_date": "2026-03-23T11:45:31.823449Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823456Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7ed8bb1bd3663e2c641a46fd5c35c0275c5f89436abf8a83b3fbdb8eb1a534c8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5b7c83d3-8d9d-52ad-9715-7f3075819438", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620388Z", "creation_date": "2026-03-23T11:45:29.620390Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620395Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aa9ab1195dc866270e984f1bed5e1358d6ef24c515dfdb6c2a92d1e1b94bf608", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5b8ab76f-337a-58e7-9b46-41b701737176", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155206Z", "creation_date": "2026-03-23T11:45:31.155208Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155213Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d20aa6ed460e6727acaa1a81f3305c5c32626f5f973d6839461c6d7292fb185b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5b96dc37-1f27-5374-9b68-b9c6e3ab7dff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817865Z", "creation_date": "2026-03-23T11:45:30.817868Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817890Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "419b5bca6d43650893d5e044e785c0ad87cbe1185de0d3feaa9f681c6e7f50b4", "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5ba26841-1043-567b-ac27-96295134e597", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144409Z", "creation_date": "2026-03-23T11:45:32.144412Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144417Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d40f6a680914df8c6cf8dda62332ad829a91815ad94439b920af986f93939a7d", "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5ba68e64-64c4-5208-9efe-347c3d239566", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462849Z", "creation_date": "2026-03-23T11:45:30.462852Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462861Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "60ee78a2b070c830fabb54c6bde0d095dff8fad7f72aa719758b3c41c72c2aa9", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5ba6b281-326b-5f0a-b14f-b3c7ed603d33", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826981Z", "creation_date": "2026-03-23T11:45:30.826983Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826988Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "544be349a5bd52275bd943bfd7d0c1f486d526c27528cb3020e23da4a905afab", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5bb34de9-c08c-5a99-bdfa-d2af69539ef9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149789Z", "creation_date": "2026-03-23T11:45:31.149791Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149797Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "49de16e30da6d3639cb06b2cee03ce75677caf95ba9e9ca5b89e3b8cdeca5fdb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5bec0360-9605-589e-9e9b-0f957d18edab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821799Z", "creation_date": "2026-03-23T11:45:31.821802Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821811Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "46cfe42abb9263471121ecdf6f0af023b2e9dd2ab6733b2138fd0657a5fee997", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c0201d7-1a57-56d2-bb66-1b112f5842b1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155119Z", "creation_date": "2026-03-23T11:45:31.155121Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155126Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e3bfc1fc0f8b5516d82ea982269ee6075c2d28a429c3be7f3f3249c5adb96b74", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c061ae9-6588-5736-9f23-e1fb6e1a5642", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619717Z", "creation_date": "2026-03-23T11:45:29.619718Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619724Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a6f8aa3de5b4aea58eddd45807d722c864d4bc4a38ad573174af864e21f0d526", "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c063c73-64f8-52d4-ba75-d79251201ec2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971615Z", "creation_date": "2026-03-23T11:45:29.971617Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971623Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a59ad5be59f73f2a138c70d8aa634bf5f3364a67e072b64ff2a6d4627514a9ad", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c14b3aa-739c-5021-b29d-964808ca84fd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143723Z", "creation_date": "2026-03-23T11:45:32.143726Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143731Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1b14ff6a1054fa4bae158111fbcaf35baeedaa9b664c8fb7241db98f7e1c6c20", "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c16788d-a162-52a0-967e-f4f6e6f7770d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495585Z", "creation_date": "2026-03-23T11:45:31.495587Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495592Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "53cd5eeac12e5850c978570f42faa93731d6519da4fa747cc57c37d442ec8142", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c1eec8e-982a-5448-8752-995c2ff0a745", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481711Z", "creation_date": "2026-03-23T11:45:31.481714Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481724Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6e3d9ac8a8067d049d19c798dc419def9ad47db592ba515e7134664985c4b79f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c36dadb-a3ba-5ab6-9522-884c12d0eb1a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607381Z", "creation_date": "2026-03-23T11:45:29.607383Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607390Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f84f8173242b95f9f3c4fea99b5555b33f9ce37ca8188b643871d261cb081496", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c394935-7469-501a-9833-f4f84e0caa7e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831495Z", "creation_date": "2026-03-23T11:45:30.831497Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831502Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1ec99853052f83b8f7279ac0283f9721f663fa44bc64baef21f94394c3a2c36a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c477103-9716-5585-81cd-ba975fccd12c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807992Z", "creation_date": "2026-03-23T11:45:31.807995Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808003Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19bdcbfbd05cc52a932a38e75aecd1240e3a4c74ef40fdd86a87f8bb9a96db36", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c5c6e8d-0f9f-52e0-8177-602f84e62918", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834491Z", "creation_date": "2026-03-23T11:45:30.834494Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834503Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2274479c525939a531525c393bac08042babe6c8792cdcde8e6952bdab4dd3d3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c5f2fc6-d6ac-59ec-9c76-1fa23ac53fa1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981589Z", "creation_date": "2026-03-23T11:45:29.981591Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981596Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3e9b62d2ea2be50a2da670746c4dbe807db9601980af3a1014bcd72d0248d84c", "comment": "Vulnerable Kernel Driver (aka gametersafe.sys) [https://www.loldrivers.io/drivers/1ab1ec8c-1231-4ba4-8804-4a2cda103bb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c6095eb-ab5a-50e5-a7a2-176220bbcd5e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498228Z", "creation_date": "2026-03-23T11:45:31.498231Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498239Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3b1feec688a8484df79de6dc686031e9820d88433efc21596a70fee47c85230f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c60c519-fa3e-55c9-85a6-c11b0ae59899", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141903Z", "creation_date": "2026-03-23T11:45:31.141905Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141910Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5f73d9daffb0addc47f3a8ce6fa9eb189c648fc52e6cc8dca02aa10131c24179", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c67730d-ca67-5727-93a6-8f7fc7ead43b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485611Z", "creation_date": "2026-03-23T11:45:31.485615Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485625Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8cb73ae30e9c53f30c40bc6305623f4cdde8c4ff5451f2b18a45314f9d9eb3d5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c6b1302-434d-57ad-b03a-dc978474cc61", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141451Z", "creation_date": "2026-03-23T11:45:31.141453Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141458Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "90227d20f02ebe9db8024aaf87e46af68af47a8e70ab11fd20bc6e613820c425", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c6c6697-a418-5b25-bd37-b78cb1f7d239", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610176Z", "creation_date": "2026-03-23T11:45:29.610178Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610184Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "771015b2620942919bb2e0683476635b7a09db55216d6fbf03534cb18513b20c", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c7462e8-3573-5a9c-884c-f0a8ef17cdd6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490208Z", "creation_date": "2026-03-23T11:45:31.490210Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490216Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f1f2355dfd0dc06227cbc38148096e640bc9141fc9a1ceb3923e782b66a3e861", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c799527-c45e-5e28-b9be-e122e6b3145f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149203Z", "creation_date": "2026-03-23T11:45:31.149205Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149211Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7c64d5088568ff05e8e16deaaa8ad5de85bc97b17ceda89d5c12ecadeade6244", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c7baf9d-0ba9-519d-9028-834f4dcb7220", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975113Z", "creation_date": "2026-03-23T11:45:29.975115Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975121Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "909de5f21837ea2b13fdc4e5763589e6bdedb903f7c04e1d0b08776639774880", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c7fd195-ed33-57e8-a711-1ee1bcc7b7b2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143669Z", "creation_date": "2026-03-23T11:45:32.143671Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143676Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fcffb9cecbcefc399a2a08d99fcc2b797911afa26f3d69a28a139311cb61c39a", "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c8da4cd-50fa-53b5-aa66-7d15a0c7313e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974367Z", "creation_date": "2026-03-23T11:45:29.974369Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974374Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c032e2abdf4f07ba42ce4559e6413387becbebb0a43c287b6d367dbb33bde751", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c8ef4f6-7d9b-5423-9703-79367a82d081", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500442Z", "creation_date": "2026-03-23T11:45:31.500445Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500453Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d63a68a6e08f1a9ba6e2053de4e4c35c79bba2809d1ec92318d1e3d1a8b8934b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c9d00eb-05e7-5e4b-9cba-d208d691443a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452310Z", "creation_date": "2026-03-23T11:45:30.452313Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452323Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f7b3112b9745b766c8359d25e315975d3159935a8ddb3e3035d21ed124a9013f", "comment": "Vulnerable Kernel Driver (aka phydmaccx64.sys) [https://www.loldrivers.io/drivers/96c8fe71-3acc-41bc-9402-ebd69a961d74/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5c9e0b56-e26c-5008-aca4-1760ba4b334c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143770Z", "creation_date": "2026-03-23T11:45:31.143772Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143778Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "04bf4f16cd0fefd8456f77f4f4b64502b570f8b685df3de419faae2389b58f5e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5cae8a67-2780-5f1c-93aa-77cf882f0149", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476565Z", "creation_date": "2026-03-23T11:45:31.476569Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476579Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7089503cc4f499b84ccec39aacbeec7bf0bdbe920b7b9e02b4122ab8efcb5add", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5caebab0-c790-5fbe-9483-2548fc515dd8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820789Z", "creation_date": "2026-03-23T11:45:30.820791Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820797Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "66f851b309bada6d3e4b211baa23b534165b29ba16b5cbf5e8f44eaeb3ca86ea", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5cb65f2e-4fdf-5479-8674-5f7df7267593", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.147205Z", "creation_date": "2026-03-23T11:45:32.147207Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.147212Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "13c4583048ebee27a2983feab18e6e4fdcb676f2c4f9880e6433839cc2d520bb", "comment": "Malicious Kernel Driver (aka ProjectConfiguration.sys) [https://securelist.com/honeymyte-kernel-mode-rootkit/118590/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5cc0df16-ce2f-5bc7-bbc6-f0f0ba83ddd6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836649Z", "creation_date": "2026-03-23T11:45:30.836651Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836657Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "019dea3bea77f17aca0748717180adfe91130448ee6c236f240931ba15d5fb12", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5cc6c790-d9ee-5fac-bae6-b16857b07e79", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615782Z", "creation_date": "2026-03-23T11:45:29.615783Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615789Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "543ee203b355c4cbac74d9bac71fb73c0c5c5c3afe268e2ae8ae48d61d350709", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5cc85cbf-8a2b-5927-a174-6f9ff12a85d3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143899Z", "creation_date": "2026-03-23T11:45:32.143901Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143907Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "95fd266cc454177901cb58f4d30417c4a7caf29be62bb8649e5b8fca58823600", "comment": "Vulnerable Kernel Driver (aka Afd.sys) [https://www.loldrivers.io/drivers/394f49b2-2d78-4d0d-b374-1399695455f3/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5cce8ff2-9a76-5237-9f8c-e8bab3d4c297", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969418Z", "creation_date": "2026-03-23T11:45:29.969420Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969425Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1faa125c9442b20c646411f629dd48afe2d962554c45fc4a8e2d45c1fc611b6c", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5cd2dccd-5bfe-5eac-aad2-6f8a37740b7c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985375Z", "creation_date": "2026-03-23T11:45:29.985377Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985383Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b3cbb2b364a494f096e68dc48cca89799ed27e6b97b17633036e363a98fd4421", "comment": "Dangerous Physmem Kernel Driver (aka Se64a.Sys) [https://www.loldrivers.io/drivers/d819bee2-3bff-481f-a301-acc3d1f5fe58/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5cd8ab20-6ca6-51fd-a3b5-54df642d25e0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829238Z", "creation_date": "2026-03-23T11:45:31.829242Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829251Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dc2a0bc303d27dc1f4eb71d34a46bb14d59c8a80e32f0fc3f18988076a687e1b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5cdecaa5-515b-5e9b-9650-8424bef83efc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497924Z", "creation_date": "2026-03-23T11:45:31.497927Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497936Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ecf3f16e261a9d9f949cd60e63f7a0855ca2c8e8dfc7edc494bf7e698ac26897", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5cf16b3e-10ae-55fe-8971-6c9e90752897", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143095Z", "creation_date": "2026-03-23T11:45:31.143097Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143102Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "416c5a1c88330554302199a9a5b85033d1c7cb8dab4a35ea02fedd81b75c4d99", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5cf177d4-6867-5729-a8f4-5e526a832526", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614666Z", "creation_date": "2026-03-23T11:45:29.614668Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614673Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "85866e8c25d82c1ec91d7a8076c7d073cccf421cf57d9c83d80d63943a4edd94", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5cf30658-3cef-542a-aada-cf1ffd3a84f7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145464Z", "creation_date": "2026-03-23T11:45:31.145466Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145474Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "93e078ab140c67bc765bbc63852f8a414780f42c895977be3711fafbc5a15756", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5cf76e46-a09b-5d7f-a24a-a28aaf77b000", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832479Z", "creation_date": "2026-03-23T11:45:30.832481Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832486Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7148dd4601f683b6038c8aadce698a0c74be1f3940f25dcc44564952e3bd7777", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5d09221f-bdbf-5d62-bdb5-5cd28922a4e5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622985Z", "creation_date": "2026-03-23T11:45:29.622990Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622995Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "40e624bf557b51775af1ca17062c4eca3693322e250b257aec7dc579e626ef07", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5d200e5b-516e-597a-a553-25f8d04aefdc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494780Z", "creation_date": "2026-03-23T11:45:31.494782Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494791Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2efc60be1e2ca1389bc275c7946ca8a88105d5df61fd909508f2798d9cd841f4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5d219bb3-599d-5ac4-82ea-78e60c0e8c2f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827803Z", "creation_date": "2026-03-23T11:45:30.827805Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827811Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bdc8c2ca2b138742d4b441e7b3cd3566421d40e45afc6b62a293472926dd912d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5d28294e-e7b7-5c0f-832c-efd6b207759c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833399Z", "creation_date": "2026-03-23T11:45:30.833402Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833410Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "713b36a556eff48930301a0087a3bbefa4a1957aeefa560a5875ccab9c7cca45", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5d2bdf92-107c-5026-8822-ec0b1a6ee6af", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155429Z", "creation_date": "2026-03-23T11:45:31.155432Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155440Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ba39b795cc2ecddccb80947c978e53fd660099e152c5828ff608bbae6407b0c8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5d2cdf74-57c7-578f-afff-6ad5c50ee4cd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140247Z", "creation_date": "2026-03-23T11:45:31.140249Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140255Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c2859055855875731449de25b3a0eacda6cfd37520cbb41909db619108d1ab7a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5d3c7e3d-f301-5763-bcd4-ad341a6f8519", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146546Z", "creation_date": "2026-03-23T11:45:32.146548Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146554Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7e82d60575309a6bf6145e7d509dac0b2e815a734a492055bf591c8a7ab55865", "comment": "Malicious Kernel Driver (aka driver_ab811ca5.sys) [https://www.loldrivers.io/drivers/09d2e61d-e041-4ec8-ab7b-385848456a36/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5d3d4a70-31c5-5aea-beab-5e4669bba483", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823481Z", "creation_date": "2026-03-23T11:45:30.823485Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823491Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c22afc69a39092ca8f8efd1b1cad613606339df1c121fcf390f9fc4449c267a9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5d7748ef-25d4-5787-b0d6-fa4cd43dd5ad", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145836Z", "creation_date": "2026-03-23T11:45:31.145839Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145856Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fb10b1366d191682fad1ad6d163c47c979c0db00e403c8e44952ab53273cab71", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5d7cc030-2d6a-57a2-9a82-177276ba14f4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144271Z", "creation_date": "2026-03-23T11:45:31.144273Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144278Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5ba81b423320a4487ae7a8776e3005142514d1715afd7b563f586bf10e5e1f37", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5d877bb5-0662-5199-93ec-3e2c1153a265", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467559Z", "creation_date": "2026-03-23T11:45:30.467563Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467573Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "77280614edf2e476a853c7881a4ff1402d67d4dd3e218af657f44fd4d4fbdbcb", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5d930509-d05d-5c28-b593-8b1dc0f9c3e9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826076Z", "creation_date": "2026-03-23T11:45:30.826079Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826088Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ba80b3a12a609c0d6069dcea7e346aa8d6e622e32eecd0244b40a4dcd8329ce1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5d99795b-719a-5981-98b9-164522b65a99", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977036Z", "creation_date": "2026-03-23T11:45:29.977038Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977043Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ede9e515a00c6a703a51b5a6e2d10d8d620be35da56fb6fec9a4fb96e6f88c7", "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5d9ce0f4-c7a4-59de-be1a-358b13c4b74b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.471836Z", "creation_date": "2026-03-23T11:45:31.471839Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.471848Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4b64def5d8bd9d37af54b758e4d0c7cb28cad032745ef0fc8442815772c4adab", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5da3f0a6-12c3-5726-ad02-19dd5f9547cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617079Z", "creation_date": "2026-03-23T11:45:29.617081Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617086Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "709ab95302bb44c7a7dafaf342ca933422ea03ed7b492be204a319161feb350e", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5da9f4d6-cef9-5881-8adf-e4f551d7e37b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154414Z", "creation_date": "2026-03-23T11:45:31.154416Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154421Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0ecb274c24a2271eef97d629bfbdda7e14845c8b420ee91116f54f6652b3e084", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5dbc19a5-5ea8-528d-8416-f618db8bd210", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491296Z", "creation_date": "2026-03-23T11:45:31.491299Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491306Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "942cfb6f9d5a7ba3bd96c7e99d783a13636a3b6a47996c8c4cbb886e609fe521", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5dc3b517-496c-5bfc-92ad-98bf6ba4dbdc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816397Z", "creation_date": "2026-03-23T11:45:31.816400Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816408Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7d5dc2c4a402c8b3feee738efa5b24b84b530c161fec2bd0ad5284566d6f5ffc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5dd132af-5e54-52cc-b43a-13f57eeb40be", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970931Z", "creation_date": "2026-03-23T11:45:29.970934Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970950Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "04a68cb3a0c063bc66d5b144525500947dab43a0a7633a786ee0060079ba83b5", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5de2dcdc-44cf-51e8-b994-e245daaabc79", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146415Z", "creation_date": "2026-03-23T11:45:32.146417Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146424Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "270bbba20190463a27ae41ec283922b25d397aab31c96cd4eaa47eadaac07b00", "comment": "Malicious Kernel Driver (aka driver_0ffb4081.sys) [https://www.loldrivers.io/drivers/8081b0d0-e18e-474a-bdfa-8ff1956d90cb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5de85586-50e0-51f8-981f-2a5ebe6404f4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823640Z", "creation_date": "2026-03-23T11:45:31.823642Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823647Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5140d2d1cdd4ff9ea90a1a9d4cffe0195a5c01ea9fbec47e1643216cab559c2b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5dfd70dc-b80a-573b-a7ba-586d1f31eb4d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153146Z", "creation_date": "2026-03-23T11:45:31.153150Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153159Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6c59848c6671201b3838b69cb2947e3e7489c6c0bdd538a9609a76e980bfb3c7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5dff5fd9-6c94-5ee9-839f-acbc6c75ec7b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145254Z", "creation_date": "2026-03-23T11:45:31.145256Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145261Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "80a4c175c06c9fb31d0e0d3f741e6bacde3fd9058f0b2f783ce0d66becc0a8b3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5e054251-f6ab-5724-a0fc-3a33094d97c1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610993Z", "creation_date": "2026-03-23T11:45:29.610995Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611000Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fd8d61102719afb0b8a230d9e8c372af3396bec4a6d72aada42a1f1d36187751", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5e18716e-d0d3-58ce-968d-c2a4d317e398", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607817Z", "creation_date": "2026-03-23T11:45:29.607819Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607824Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bc13adeb6bf62b1e10ef41205ef92382e6c18d6a20669d288a0b11058e533d63", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5e314e51-8b55-5026-a4b3-e72f6ce58050", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145985Z", "creation_date": "2026-03-23T11:45:31.145988Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145996Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e0508471f1b7177ccf26fd663d135767a652a3fdccb545e4ef38f79ae034f245", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5e31698d-4bcd-58a8-8b7a-51a203abc31d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149934Z", "creation_date": "2026-03-23T11:45:31.149936Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149941Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b20d8255ee1c2f18a64dd3754ce2503db010cb650f2eaa8135a0ad252ebcced", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5e3515ed-33ca-527c-87e9-9c265cc68523", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482186Z", "creation_date": "2026-03-23T11:45:31.482190Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482200Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "de80cadf7e24d0414d6d88922995a5fb62cc050b67dfc64f31452d72cfbb9fe4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5e3c796f-11e8-5a0f-877b-780c78f9d7dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807561Z", "creation_date": "2026-03-23T11:45:31.807564Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807573Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eca625614fa812a3e2fb2eade15f87df9ba3cac5078b1bbf914bfa745fb977c6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5e4b6a3e-417c-5a65-96de-aec4831ab6ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460465Z", "creation_date": "2026-03-23T11:45:30.460469Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460478Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "67e9d1f6f7ed58d86b025d3578cb7a3f3c389b9dd425b7f46bb1056e83bffc78", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5e5b5808-b6cc-5fd2-876c-0d08c80e5df5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606103Z", "creation_date": "2026-03-23T11:45:29.606105Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606110Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "51e91dd108d974ae809e5fc23f6fbd16e13f672f86aa594dae4a5c4bc629b0b5", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5e6345cd-f671-505b-b7ac-94b766aaf87e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153684Z", "creation_date": "2026-03-23T11:45:31.153686Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153691Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f76f5ac7ad8f077092b85ed16912b99e7a0eb91497aea292f61d1a97e07884ea", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5e6772ef-b3c0-5d88-9f4f-24e60b50fc35", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836065Z", "creation_date": "2026-03-23T11:45:30.836067Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836072Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "38bd451bc3a296a3e108f7ed83a014f345f7e8415015628bd3ec223d6270ca70", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5e71c5da-cd2b-55d9-a07f-c977be843837", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810794Z", "creation_date": "2026-03-23T11:45:31.810797Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810802Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd4108979f44c34a3c6ed06cc410117450fec087ecf77937e4fb588e26b73ed9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5e7e36d1-d152-5ce7-9da1-913e65016526", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144003Z", "creation_date": "2026-03-23T11:45:31.144005Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144011Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6e2ba9f06829ee04a6d4b1653754e415ad39a01570919256df716c94e071f84d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5e816d24-4d20-53bb-855f-300bd55c448e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822255Z", "creation_date": "2026-03-23T11:45:31.822257Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822263Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "10e36a55afb19c4a9611d8370225173c57e377fb0f237606072190679f85c99e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5e853c92-a543-557f-ad3b-c62cc50312f6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970297Z", "creation_date": "2026-03-23T11:45:29.970299Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970304Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d30f51bfd62695df96ba94cde14a7fae466b29ef45252c6ad19d57b4a87ff44e", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5e890d91-f163-5fad-9d09-a28bbc1373ed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488027Z", "creation_date": "2026-03-23T11:45:31.488029Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488034Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9da15be14ff7e1e78ff6d67649268a3d9fd117a04393f9ff972326ddd887257c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5ea38312-59e4-5549-b217-16878e7edfa7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.142808Z", "creation_date": "2026-03-23T11:45:32.142810Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.142816Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "023d722cbbdd04e3db77de7e6e3cfeabcef21ba5b2f04c3f3a33691801dd45eb", "comment": "Vulnerable ITM SYSTEM File Filter Driver (aka probmon.sys) [https://antonioparata.blogspot.com/2024/02/exploiting-vulnerable-minifilter-driver.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5eadf19d-24f4-52d0-997e-6a2492e56563", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621281Z", "creation_date": "2026-03-23T11:45:29.621283Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621288Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b48a309ee0960da3caaaaf1e794e8c409993aeb3a2b64809f36b97aac8a1e62a", "comment": "ASUSTeK vulnerable physmem driver (aka AsIO64.sys) [https://www.loldrivers.io/drivers/79692987-1dd0-41a0-a560-9a0441922e5a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5eb06983-a32e-5265-af41-1208746544b0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816986Z", "creation_date": "2026-03-23T11:45:31.816988Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816993Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4fde22ee85f60c67ad4c5ff15df2c7609ad24a44ad45144e06461f64c5149df5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5eb23368-f54a-5725-a0b8-8bd15528379b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492923Z", "creation_date": "2026-03-23T11:45:31.492925Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492931Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "825fd4c37680a98cc1855795a921536d4450776c731c2a71ecf28deb9d6e8188", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5eb7e638-80e1-547e-9bae-4a14f277255d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615082Z", "creation_date": "2026-03-23T11:45:29.615084Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615089Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e3936d3356573ce2e472495cd3ce769f49a613e453b010433dafce5ea498ddc2", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5eb96b6c-a649-51bc-b76f-2f616e4fe36b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144055Z", "creation_date": "2026-03-23T11:45:32.144057Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144063Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "28b39c57628cb12ca1bf2f531055c7d57008be5fd424aa691ecb648efe5768dd", "comment": "Malicious Kernel Driver (aka driver_c3d48ddd.sys) [https://www.loldrivers.io/drivers/f6c08b8a-1d25-4bf1-9d4f-5368c1f6cfe7/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5ebd7326-02b8-5c64-83e7-2aef25858e1f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836594Z", "creation_date": "2026-03-23T11:45:30.836597Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836602Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8cd13f392fc66286c0866f583edb8df3273057fe7848e2679aae5222dd09254b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5ec7a5d0-8734-5b52-8c28-88af9bf496d5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829394Z", "creation_date": "2026-03-23T11:45:30.829396Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829401Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "83cc4a85fce0635bed938e2ae866011c004192e0acdf1b1bb5ea03cfaa34fe3c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5ed1d32f-d554-5b7f-b87e-6942118e4c52", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495151Z", "creation_date": "2026-03-23T11:45:31.495153Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495158Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "952b5e5ef69cf66a84baa52a13998ca5a038e51b6b31a6d281ee78eede0b9f30", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5ed7a61e-f252-50e1-b76f-b4eb1c1cc9a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.142650Z", "creation_date": "2026-03-23T11:45:32.142653Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.142658Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "31ce60480166e9ebef758b66f770f3fea86dd429da27fc5eed755c3d8c4e20fa", "comment": "KingSoft Antivirus Security System Driver (aka ksapi64.sys and ksapi64_del.sys) [https://github.com/BlackSnufkin/BYOVD/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5eeb0bfe-767c-5408-a79e-aba661fd678b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466185Z", "creation_date": "2026-03-23T11:45:30.466188Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466197Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "818787057fc60ac8b957aa37d750aa4bace8e6a07d3d28b070022ee6dcd603ab", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f0a9012-e9bd-518e-870c-673e666967a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146764Z", "creation_date": "2026-03-23T11:45:32.146766Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146772Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c619a7fbb27940428b80129e0fa2d976fce52f93ab37667d2ca01330c6c561a5", "comment": "Vulnerable Kernel Driver (aka isodrivep64.sys) [https://www.loldrivers.io/drivers/bd6490c2-20ea-441e-803c-bc3b957dae4c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f0aabf7-a6b4-5b12-b668-97d9f57b8b89", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616622Z", "creation_date": "2026-03-23T11:45:29.616624Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616633Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "20f11a64bc4548f4edb47e3d3418da0f6d54a83158224b71662a6292bf45b5fb", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f162aad-7874-5e3d-b6d2-aa27ec1dcd86", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616133Z", "creation_date": "2026-03-23T11:45:29.616135Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616140Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cde02c7db90626bcfbfbbc1315d4ce18d4f15667fa57c16b9ac2b060507c62ad", "comment": "Phoenix Tech. vulnerable BIOS update tool (aka PhlashNT.sys and WinFlash64.sys) [https://www.loldrivers.io/drivers/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f208f91-7acf-5630-b8be-932b0e8104a4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817711Z", "creation_date": "2026-03-23T11:45:31.817713Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817721Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8ef4a29303fadaebafa0370682a25ab16e9723ebb109c88d1c83764140c4256d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f31e738-5c01-57ff-ad46-1bddd804e8f1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827160Z", "creation_date": "2026-03-23T11:45:30.827162Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827168Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d8b3af5ccbcc7ca3fdde7818e0c706fc490f06aa20fff90c79f270445759e3d7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f439300-d9ac-5abc-a628-053dd62b8304", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808595Z", "creation_date": "2026-03-23T11:45:31.808597Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808603Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2f41efd32d4ad9bbcb688c687d7b871c3f33fd5766e28aa3f27c723b48a56bcb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f4a8211-1645-53a6-a186-588ed22d504c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469068Z", "creation_date": "2026-03-23T11:45:30.469072Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469082Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "00231ea698565270bf9f542e70490b7a5c6740c2da6699ab548dca0a97ca3171", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f4aea1e-c8b7-5601-bf80-da58ad6a41c7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606741Z", "creation_date": "2026-03-23T11:45:29.606743Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606749Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c5732937c3ab5e0fd244cc1b820eaa1fb7d97110c213cd6b9dadebafe3ea853d", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f4b8d79-d903-50e6-9cb0-1a0c611fcb06", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979325Z", "creation_date": "2026-03-23T11:45:29.979327Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979332Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f549cd4-3ad9-58e6-a043-2cc5a63bef0f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480079Z", "creation_date": "2026-03-23T11:45:31.480083Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480093Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d77b2fd954fe46be027c78597c87fa320438665240b751d788033bb183ef7761", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f58814f-50a3-5724-9693-68be040bf957", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819847Z", "creation_date": "2026-03-23T11:45:30.819849Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819854Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fb79b99db91dc965263bd2c10ec0f58c6b8f282e0273f40c4249831b74ffec3a", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f616c5c-e1b2-5b65-acfb-249f658be918", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466692Z", "creation_date": "2026-03-23T11:45:30.466695Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466704Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9dc7beb60a0a6e7238fc8589b6c2665331be1e807b4d2b3ddd1c258dbbd3e2f7", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f722226-8d15-5d9c-8079-84811c5b3e6c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828477Z", "creation_date": "2026-03-23T11:45:31.828479Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828484Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9ec7dca0815075f605a2887eae32def1d28cc09de4fac8b5033b3c0693ad210d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f72eaae-f6ae-52b6-9aa8-e6e2e7d82af1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604033Z", "creation_date": "2026-03-23T11:45:29.604035Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604041Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dcb8df13141708f0dd470b5411c065f8ad21688daf424bd05c94eb6e63dd08aa", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f77e5b1-8eba-5463-8715-e4770c4745a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147917Z", "creation_date": "2026-03-23T11:45:31.147919Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147925Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f7771ea769a351ee971b196b67cffd86afa90d7478f4e20f200b159099bcfcd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f7eeedd-6db3-5bf3-b18d-2d7c4b5099c0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606421Z", "creation_date": "2026-03-23T11:45:29.606423Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606428Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0dc57678ba8a87ece2b2ecf0f0fc6ea2366f3f11873f478f49c9b9df8b813288", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f821312-e930-59fd-ac81-43312c234e3d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452798Z", "creation_date": "2026-03-23T11:45:30.452802Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452811Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7a2cd1dc110d014165c001ce65578da0c0c8d7d41cc1fa44f974e8a82296fc25", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f8e6708-c2d3-571a-b6ef-2e2f0451908f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809596Z", "creation_date": "2026-03-23T11:45:31.809599Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809607Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "110e77c2a77d18067edafcee5c7fbd0c1240498f971e38acf5671800e4c3a667", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f9241e1-4b37-5803-afb0-06acb4d23593", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977834Z", "creation_date": "2026-03-23T11:45:29.977836Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977842Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dec8a933dba04463ed9bb7d53338ff87f2c23cfb79e0e988449fc631252c9dcc", "comment": "Vulnerable Kernel Driver (aka b4.sys) [https://www.loldrivers.io/drivers/d1441172-cc15-4a96-b782-f440bfb681e1/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f927e47-26e1-59ca-b3d3-3cd5daa54b95", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142308Z", "creation_date": "2026-03-23T11:45:31.142310Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142316Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b48564115c42432fccccba7018b6578c8ccc33da0c6b7d73f7150f0c4470e6e4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f97d772-a77f-53bf-8978-2d31e85a5d11", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141785Z", "creation_date": "2026-03-23T11:45:31.141787Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141793Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f426de2b6078727c9c7a9ac93ce9f8881cc8d2d489f80c419d9206408599764b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f98b9a1-ef14-5b38-a487-bd2041c122aa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608794Z", "creation_date": "2026-03-23T11:45:29.608796Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608801Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "681de794238060ec929aa5cf6c4701069f113a8524d31fb2f411648968ca17de", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5f9adcba-9259-5e4d-8c35-c77d2331f244", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823621Z", "creation_date": "2026-03-23T11:45:31.823624Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823629Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eb911ee38ebbc680eb44299e9e50f92d8995ddaa1070b3c23a71ab0566940b25", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5fab89d7-37d3-5020-86ac-8476a39553c9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141981Z", "creation_date": "2026-03-23T11:45:31.141983Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141989Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8447afc11fdb3664885c026edc07fb909bf7ca62633b1c20d3c82e52d8f03561", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5fae421e-afb7-5024-93b6-9ba5cb0654d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.623007Z", "creation_date": "2026-03-23T11:45:29.623009Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.623015Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "841f965977f33d621d126412032c47dd6118251623c380e5572f7553b620b0e1", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5fb8513c-3766-515c-9275-61c56137ac4b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621141Z", "creation_date": "2026-03-23T11:45:29.621143Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621148Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ca829178d01990c8d1d6a681dee074a53f0dd873fd8eef6f6161c682449ec8c5", "comment": "CoreTemp Physmem dangerous drivers (aka ALSYSIO64.sys) [https://www.loldrivers.io/drivers/4d365dd0-34c3-492e-a2bd-c16266796ae5/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5fc33fa3-e086-5c6c-9bb1-4714010406fb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.147095Z", "creation_date": "2026-03-23T11:45:32.147097Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.147102Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7023f08c9f99076a5fb82a0f661847e2951800f095fca1793a0e6bd9c949b478", "comment": "Vulnerable Kernel Driver (aka LnvMSRIO.sys) [https://blog.quarkslab.com/exploiting-lenovo-driver-cve-2025-8061.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5fd219e9-384c-5fa2-9845-c28f5c443fe8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982836Z", "creation_date": "2026-03-23T11:45:29.982838Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982843Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "358ac54be252673841a1d65bfc2fb6d549c1a4c877fa7f5e1bfa188f30375d69", "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5fd41a6c-ea33-5f24-a582-91dd75cb4d70", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620583Z", "creation_date": "2026-03-23T11:45:29.620585Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620590Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ab41816abbf14d59e75b7fad49e2cb1c1feb27a3cb27402297a2a4793ff9da7", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5fe8dc0f-9e92-513d-bf3e-d39153e5ebd1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606523Z", "creation_date": "2026-03-23T11:45:29.606525Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606530Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6b3316496ab1e2d1ef02be966d9caa171674856e8fb8ea78d6a3bcfe8e2013c1", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "5ffa9f62-fbf7-5ef5-b8b5-df5b43aa16a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969966Z", "creation_date": "2026-03-23T11:45:29.969968Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969973Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e27fa56ceff3fe7d5a723c5f4192ce6aa16994f88cf05935645f9e398292376a", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6001705e-4220-5a9d-87c8-c940b75a2728", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828405Z", "creation_date": "2026-03-23T11:45:31.828407Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828413Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae986d6d28875a3f0ded62b1bea8b09420964eadda0f84aaae883e40ef392fd0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "60048928-7e6a-52a4-8486-d55184a0048b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975220Z", "creation_date": "2026-03-23T11:45:29.975222Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975227Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "35b31c96194d78cbb98b3223bf810f78f53fc0e4601f49169938ca883586e4e9", "comment": "Vulnerable Kernel Driver (aka HpPortIox64.sys) [https://www.loldrivers.io/drivers/13637210-2e1c-45a4-9f76-fe38c3c34264/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "60086cd4-7cde-51d8-8461-b95a5f620ceb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491089Z", "creation_date": "2026-03-23T11:45:31.491092Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491101Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "66ead034234c85988239b0c0bf96d68bb56366cd85c6695e7c586f2c5823842c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "600c166f-e365-55ce-b204-4a4d3a689e09", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151246Z", "creation_date": "2026-03-23T11:45:31.151248Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151254Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a28f047f3fdd96e3a917dc99e106ae9fd4fd96b5671d9fa43b752e1ae7e5100e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "601e47b5-689d-5e7f-9cb7-c554a7d31d68", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977881Z", "creation_date": "2026-03-23T11:45:29.977883Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977889Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c67c6f1e03a466dc660bcad6051fc38eb6e9004a4e252abe52c6155f5768ad90", "comment": "Vulnerable Kernel Driver (aka driver7-x86.sys) [https://www.loldrivers.io/drivers/670dc258-78b5-4552-a16b-b41917c86f8d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6037a93e-6a54-5951-a11a-a1c3160df731", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493115Z", "creation_date": "2026-03-23T11:45:31.493119Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493127Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0e62b11cb14eca6a3c9ceb6f3f5741149742896f7dbb4b3407aa82e3412a34b3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "60402990-c588-5a24-9145-6e98acbb5dc4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967784Z", "creation_date": "2026-03-23T11:45:29.967789Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967805Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c56536f99207915e5a1f7d4f014ab942bd820e64ff7f371ad0462ef26ed27242", "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "604175a8-026a-5913-82ce-e543b717b4d7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477355Z", "creation_date": "2026-03-23T11:45:31.477358Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477368Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a7b51ba453918a897d18315213c105381151953edfec0850e9b01f66b2467d7b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6046e592-5933-587f-925d-bcf81eb61275", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159385Z", "creation_date": "2026-03-23T11:45:31.159387Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159393Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd80868d5010f97bd3426ff87326cfd01939e0c45fd3b27eb5a2028311ab1b1d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "604a9c8b-ed6e-5a36-8cfc-5cf1859f7fe3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823663Z", "creation_date": "2026-03-23T11:45:30.823665Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823671Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8b37cb203f790c11c291988871e3cfe34fe35cfa684c7c55b78934790f83d51c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "604d9045-d619-559c-9b8c-d5c4bc10cbbb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620658Z", "creation_date": "2026-03-23T11:45:29.620660Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620665Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7f190f6e5ab0edafd63391506c2360230af4c2d56c45fc8996a168a1fc12d457", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6056d1ba-dbd8-5e72-bcfd-52dd4a9a2d00", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825041Z", "creation_date": "2026-03-23T11:45:30.825045Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825055Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c3988a428a3439452164edbf1abff6fabf257c97ab693f5a5c8149fc2fc17ca3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "60578438-f2cb-5103-ad69-a8b2c9b13452", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476629Z", "creation_date": "2026-03-23T11:45:31.476632Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476642Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a7cdda07837e62957e20d91d97c82c5ce11b3f35aa6b7ec482841628e2c81b46", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "605b193d-03a4-519c-bf0b-bf171a2dbab7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500336Z", "creation_date": "2026-03-23T11:45:31.500339Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500347Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "453e715f79a5c8b9c8222232b665a2cc60ab054a64685d402cd414ce7255eb65", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6070e473-0150-5486-86d8-8d5143e1ed35", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820900Z", "creation_date": "2026-03-23T11:45:31.820904Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820913Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8f29ddd1da190e2000fe5d42a032650dbe36bf1c7df9efb06159387a794e766b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "607a6150-2cb2-5678-a559-ddcd385c3926", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831602Z", "creation_date": "2026-03-23T11:45:30.831605Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831610Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "51857e19f774845e9ff4b463a42088bfd5a7c096fe1d3b677de4adc3e78cb239", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "60856f1e-4e2e-5c78-bc77-6783b043bcaf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475532Z", "creation_date": "2026-03-23T11:45:30.475536Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475545Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "983310cdce8397c016bfcfcc9c3a8abbb5c928b235bc3c3ae3a3cc10ef24dfbd", "comment": "Vulnerable Kernel Driver (aka vboxguest.sys) [https://www.loldrivers.io/drivers/0baa833c-e4e1-449e-86ee-cafeb11f5fd5/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "608e9852-4e22-5b79-b265-4bea6a7bc908", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826300Z", "creation_date": "2026-03-23T11:45:30.826302Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826308Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "26f3439efa59eed34ebfd691aa51526ac299dbefb0a5504263e461aca531ac03", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6091bafa-edfb-5d9c-8a1d-83b564dc4387", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826277Z", "creation_date": "2026-03-23T11:45:31.826280Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826286Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b8dffa660be7c9d6ccc87311ed2038e7f65ff271234aee91b4e6eb320ce0ccd8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "609227ab-c0e2-5ed4-a90c-71b7d22990a4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970810Z", "creation_date": "2026-03-23T11:45:29.970814Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970822Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff93411c576df8e6bd0819a81b5c8006b3630001a0f65cd505d09ade7b151780", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6092eebf-1724-5f54-b7ef-c0e5f28e195f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619143Z", "creation_date": "2026-03-23T11:45:29.619144Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619150Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5c58c38e4737c750ccafa621a18d875299bb5440bb1900eb8469dcf4130049c8", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "60a316ca-5506-5081-8417-a195d79e801b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604807Z", "creation_date": "2026-03-23T11:45:29.604809Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604815Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f97f6d53fff47914174bc3a05fb016e2c02ed0b43c827e5e5aadba2d244aecc", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "60aea1fc-ec81-5f53-b4b7-4cb816e71dec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973095Z", "creation_date": "2026-03-23T11:45:29.973097Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973102Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8f66b821601bbbc87aaf656f85d9c91b677a3c5e5162a69322eec51504a830c7", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "60b99017-fa90-5cda-aae1-2833c4b3ecff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613753Z", "creation_date": "2026-03-23T11:45:29.613755Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613760Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "60c6f4f34c7319cb3f9ca682e59d92711a05a2688badbae4891b1303cd384813", "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "60be8512-8a90-55cb-b95f-08cdd27aafe0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984821Z", "creation_date": "2026-03-23T11:45:29.984823Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984829Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47f08f7d30d824a8f4bb8a98916401a37c0fd8502db308aba91fe3112b892dcc", "comment": "Dangerous Physmem Kernel Driver (aka AsrSmartConnectDrv.Sys) [https://www.loldrivers.io/drivers/57f63efb-dc43-4dba-9413-173e3e4be750/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "60d97f0f-bb3a-5766-afb9-efce6a2f4811", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467792Z", "creation_date": "2026-03-23T11:45:30.467796Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467804Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "11dc70eb8864bc00b4b8e7c62a52c4602864e2ec717cc0606e1252b119c91085", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "60e325ae-75a1-5ed2-b845-27eaa34b1b88", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145588Z", "creation_date": "2026-03-23T11:45:31.145590Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145595Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e02a1a5c7b7fdb1a04392426a740e42f3318f5e1f597e727c6d15910fbe8e7c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "60e77ad7-2b81-5685-918d-3d6452a23841", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145948Z", "creation_date": "2026-03-23T11:45:32.145957Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145962Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9bf84b41789b3d5d5622732b5c4f5630da189ede2098b0ce166fcae331178377", "comment": "Vulnerable Kernel Driver (aka TSDRVX64.sys) [https://www.loldrivers.io/drivers/424a387e-735e-49d1-99de-f067dcf1c3e9/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "60ebd6f3-d4c9-52d6-9586-2076d93c6b28", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480884Z", "creation_date": "2026-03-23T11:45:30.480887Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480892Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aa0c52cebd64a0115c0e7faf4316a52208f738f66a54b4871bd4162eb83dc41a", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "60f3c1cf-fe17-55c2-a2d6-ce82ec10d5a2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146619Z", "creation_date": "2026-03-23T11:45:32.146621Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146627Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "15e84d040c2756b2d1b6c3f99d5a1079dc8854844d3c24d740fafd8c668e5fb9", "comment": "Resigned Vulnerable TfSysMon driver used by ValleyRAT (aka amdi2c.sys and tProtect.dll) [https://x.com/anylink20240604/status/1905691075639222521] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "60f66a26-a6b7-53ac-84b3-7c00e8c29494", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153453Z", "creation_date": "2026-03-23T11:45:31.153455Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153460Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8823296ad5d22748afcf520b42bb36a499a59075f9ab20ad284a6d298d324d7a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "60fed010-f31c-528f-aa4c-d797608507b0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486581Z", "creation_date": "2026-03-23T11:45:31.486585Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486594Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2d3d845765157e937b7b28aed462df187a3cec9596addc5df54614fbd7eeb5d1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "61153147-5671-535c-95bc-14ad0cc4e590", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481647Z", "creation_date": "2026-03-23T11:45:31.481651Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481660Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "41c99deafb4d6abfd88eeba042974668ca9b353e815facf1323b4a8f82d22b14", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6150d20e-20b2-5dcb-842c-32efab2f5620", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823737Z", "creation_date": "2026-03-23T11:45:30.823739Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823745Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0a7c832f7e92bb42275284956430c67002b58af8483d8e338af8bed6b3bef369", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6155cc1b-0efb-5388-936d-075f8b4b0ef0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144428Z", "creation_date": "2026-03-23T11:45:32.144430Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144436Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd41e9a82e7be92a5d77624054a0b9e5e725492bae527f31e878140482ce802f", "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "616a840f-9cb9-5dca-bfd6-01ad502158a9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454419Z", "creation_date": "2026-03-23T11:45:30.454422Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454431Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230", "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "616eb9fe-7ec6-5c14-bd03-c6014ff587a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454996Z", "creation_date": "2026-03-23T11:45:30.454999Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455007Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cfe2dd2cf1eb8b79d3b4ae980cda6fd933979d47c837fda77256a24a41316468", "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6174d307-b55e-513d-b308-817a1657f131", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144221Z", "creation_date": "2026-03-23T11:45:32.144223Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144229Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7af2ff5d405cf9cd1aee2410a969ba22d6df78d98e9d4e60cbe624d8a3bc64a6", "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "618785c6-cf85-585e-8b54-1d5ab7096efa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970650Z", "creation_date": "2026-03-23T11:45:29.970654Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970661Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "866c7615e52e73cb2f462e7db41570e513b1fb577088ef14f9eff0c5559b15ac", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "618e9a30-ee48-575a-929d-ecabf2bf099c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153367Z", "creation_date": "2026-03-23T11:45:31.153371Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153379Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d455f42dd0e8b01958840ab3d534bee8a1c3532540b1b6b3024d1435d174717", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "61b411e1-cd92-532e-81dc-33a78c2a8a07", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474423Z", "creation_date": "2026-03-23T11:45:31.474427Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474434Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "79294a62e1e87b177738b310bb4c90de6b60c02f2097562807a7f9f7bba8237d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "61bc437b-fa18-58cb-8d07-eb578321f533", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484183Z", "creation_date": "2026-03-23T11:45:31.484209Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484220Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f28506a8904778d8daf691670cb862b079df76b29f629a2cd8dae93f7628000d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "61cbcc94-68df-55b5-8be5-9b2128626855", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145112Z", "creation_date": "2026-03-23T11:45:32.145114Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145120Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4f9b5a2fe29c436a53d36d8a2084369ac6a8cd59b9eb01b3d3fa293f3487d3cc", "comment": "Malicious Kernel Driver (aka driver_4f9b5a2f.sys) [https://www.loldrivers.io/drivers/b660d253-2b60-46c5-b95a-c354aa5eb154/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "61d72c1c-f906-5f69-be0a-15e5e1795a20", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478045Z", "creation_date": "2026-03-23T11:45:30.478048Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478057Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3bf4f8cb26ba38e54636864c744aac0839e7a1d6cb7b6cf13995e8ab19b9f7f8", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "61dcb723-1a2b-5dbe-b768-98f0753383a4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.815746Z", "creation_date": "2026-03-23T11:45:30.815748Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.815754Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5074f17c7cc4fdabec65b3b07132425ad0d9fefd993e896baba2f97f16277581", "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "61dedb8b-5824-5211-bc61-89dbb2003c33", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810829Z", "creation_date": "2026-03-23T11:45:31.810831Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810837Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0d332fd20e74b55500b47007c46493d34c736d046f2d9fca002ec9dc16983775", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "61e999a5-f582-5773-ac07-dce00ede1412", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146132Z", "creation_date": "2026-03-23T11:45:31.146134Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146139Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e96d64383a9ffc94a6c10abc77324e6e9b16b86757af21aa686e3c8aa3bb9190", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "61f45de2-4287-50c6-b22a-0d54cdb428e9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611711Z", "creation_date": "2026-03-23T11:45:29.611713Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611718Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d70bfea03deeea92a253f2b4a8b7181a3064f62c5207f94b5f7ce5a9e62ab4cf", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "61fee31e-8a79-5d07-acf8-ff7aca4184f0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824024Z", "creation_date": "2026-03-23T11:45:30.824026Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824032Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cb1874b72bd6d05c9fbef698c45a6da126ae430433fe1c16dec8ef095379e6b4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "620b583f-76cc-59c9-93ed-13258f0a02fb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474152Z", "creation_date": "2026-03-23T11:45:31.474156Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474165Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f58a54da72384be4633924060d8553d6b1a46d62b64964939a61454fe277f287", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "620fcf68-3508-5af4-9de8-b357b6926d6f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495188Z", "creation_date": "2026-03-23T11:45:31.495190Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495196Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d16dfca503373fddcc71e64f064cae1e2e9295bedaa345aa5388235478687b53", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6219657a-a4c1-5614-a2c5-41da03de1284", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831830Z", "creation_date": "2026-03-23T11:45:30.831832Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831837Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "20f0823320229b75f2f39f86e7499203ad06f3d52c03487ce7629c4b1a4819be", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "62218011-9d18-5d19-a93f-4e2d6c75c809", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465483Z", "creation_date": "2026-03-23T11:45:30.465486Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465495Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ce4f8089b02017cbe86a5f25d6bc69dd8b6f5060c918a64a4123a5f3be1e878", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "62248f3a-5ddb-5b43-a3dc-84304e6f2456", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830259Z", "creation_date": "2026-03-23T11:45:30.830261Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830266Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b55e7f88289ce8018bdda56e1445b2f72f18dc29a6d3ba8e88da6a7bf83468f2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6224d19b-84a1-51c6-81bb-01a5e08c659a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815527Z", "creation_date": "2026-03-23T11:45:31.815528Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815534Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c9c7959f399de15f1d8cc13e269ff773d6f73361c7ab1f056921acb20dd514fd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6238d482-e9ea-5437-a858-e666d3f2e55e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481024Z", "creation_date": "2026-03-23T11:45:30.481026Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481032Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "89bc3cb4522f9b0bf467a93a4123ef623c28244e25a9c34d4aae11f705d187e7", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "623e65ae-dd4b-5dbb-8a53-578c2ef43a08", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970349Z", "creation_date": "2026-03-23T11:45:29.970351Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970356Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d43520128871c83b904f3136542ea46644ac81a62d51ae9d3c3a3f32405aad96", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "624a845d-4fa4-50c8-b549-efee40e8def0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829067Z", "creation_date": "2026-03-23T11:45:31.829071Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829080Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "966e8ab3a72e03b2be20ef9dae055a74a2b242603669115c6b8a33f01f273616", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6251c1c3-83b7-5d95-8d7b-898d2f4e3737", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817661Z", "creation_date": "2026-03-23T11:45:31.817664Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817672Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "070596ced6796cbf129925caa24bf3fd9b6d28f029bab9fdb772f44a0dd94f5d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "62587e2d-1b27-52ce-bbc1-736d526b4644", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159176Z", "creation_date": "2026-03-23T11:45:31.159178Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159183Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0a6f5a86311ba878bce8c0873b8bee0866e0eb1f9123c08fb528bd046c0daea9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "625b9626-014e-53bc-a9e3-3073a71a1339", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821527Z", "creation_date": "2026-03-23T11:45:30.821530Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821539Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e642d82c5cde2bc40a204736b5b8d6578e8e2b893877ae0508cfa3371fc254dc", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "626043a4-b23a-5d27-8cbb-53c6f107cc29", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147604Z", "creation_date": "2026-03-23T11:45:31.147606Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147612Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "84ff6cc24ef5d3b6ec34f60122b1a007e69c7ab8b1de225c95e2ee96ef3ba33c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "62608842-7df0-5f8b-b786-92d62e8a147e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479296Z", "creation_date": "2026-03-23T11:45:30.479298Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479304Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f020137cb08f86c48810780209a3f4a1fac361ed089ade61c1b5d6c64ded7872", "comment": "Vulnerable Kernel Driver (aka VBoxTAP.sys) [https://www.loldrivers.io/drivers/f22e7230-5f32-4c4e-bc9d-9076ebf10baa/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "62700c3b-224a-51d8-8e3e-1a870216fb0f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467384Z", "creation_date": "2026-03-23T11:45:30.467388Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467397Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "054c2b8c5e89a2bff72eb6e1169537cf8654b614d9aac1e1e3d8ea02343872fc", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6275493f-2995-52e1-8250-973da5d078ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141962Z", "creation_date": "2026-03-23T11:45:31.141964Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141970Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a47692392fd8128e195aff14fc784abe68a1a0ab43c983d68d97ba63eaeffa55", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6291990d-a3c3-5d13-99dc-4fb5187f8701", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141273Z", "creation_date": "2026-03-23T11:45:31.141275Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141280Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b3b90be121cea851e54b303e3599331327bfc4bdf71be397ce4615fc9f1d1d5a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6291d7f2-b283-5364-9b02-655693cf92c5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143439Z", "creation_date": "2026-03-23T11:45:31.143441Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143446Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7cc281510f92d2770745ad6baaecb6f5afb22e596303c3de07f605fde07acc98", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6297cfc1-c9d2-5da6-975d-7307dc432e35", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452432Z", "creation_date": "2026-03-23T11:45:30.452436Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452445Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "60fb851ce3da03c319a423979b47a95dd231085d89b26516f3e25164a1a14dfb", "comment": "Vulnerable Kernel Driver (aka Chaos-Rootkit.sys) [https://www.loldrivers.io/drivers/abcd2c10-1078-4cf9-b320-04ca38d22f98/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "62b92fb7-3905-5592-ba6b-d9a817aeacda", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825942Z", "creation_date": "2026-03-23T11:45:31.825944Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825958Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b4bc6684efbaa77e2468395c15a26a4b705bbdc9b3d791813ce37efa72c8268a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "62c454d7-3db4-577a-a6a5-f22be690a0be", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489677Z", "creation_date": "2026-03-23T11:45:31.489680Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489688Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a59a3bbad423479b34158025455d1506d399cc94f3d9b29f85cc5424bc8c73fd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "62dc498f-7951-5c85-b89e-a23ec03ad09b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983613Z", "creation_date": "2026-03-23T11:45:29.983615Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983620Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "07b6d69bafcfd767f1b63a490a8843c3bb1f8e1bbea56176109b5743c8f7d357", "comment": "Vulnerable Kernel Driver (aka HOSTNT.sys) [https://www.loldrivers.io/drivers/e42cd285-4dda-4086-a696-93ab1d6f17ca/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "62e14f51-4c72-5c3c-ada0-baf238bdca90", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985702Z", "creation_date": "2026-03-23T11:45:29.985704Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985710Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6ca42465bf4101ff63117c171cb31204dd29c45ba4ea7c31fd950f17e19b5d03", "comment": "Malicious Kernel Driver related to WINTAPIX (aka WinTapix.sys and SRVNET2.SYS) [https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "62e18c77-215a-5baf-b881-f8f709e89d76", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826048Z", "creation_date": "2026-03-23T11:45:31.826050Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826055Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "015d63812a826ba39fc54f00ce6846e38fa82acd09a57adb8c7d69027bc3f327", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "62e74a68-1ad5-5c86-8066-9159dea9b778", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479571Z", "creation_date": "2026-03-23T11:45:31.479575Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479585Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5f9071c4b299e0f415811c49f492ce5190ecfd13181632691c1ba16c26425b57", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "62f9562b-307e-591a-b51f-8423f70fcc39", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619285Z", "creation_date": "2026-03-23T11:45:29.619287Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619293Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "074ae477c8c7ae76c6f2b0bf77ac17935a8e8ee51b52155d2821d93ab30f3761", "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "62ff5df5-c04f-5561-bb6c-63f2507b97d2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605064Z", "creation_date": "2026-03-23T11:45:29.605066Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605071Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ee2a56c1592ff0e951b452c0de064eba05b7c98e3add04c8aa3b4a84eb797a5", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "62ff6ed8-2af5-5924-b008-9c059455d7d7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826603Z", "creation_date": "2026-03-23T11:45:30.826605Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826611Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bb4fce8163c75e9263e2baa7105ebbfb32f1f8b141c4d2a95ec7fa9411c63c05", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "63146c7f-05ed-575a-aa4d-d5e7bfa85cd4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826746Z", "creation_date": "2026-03-23T11:45:30.826748Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826754Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5ee96c28735bd6a839f15a13e6ca30692a286f5aacd4aa994016ec31d2f73ae1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6315dbe4-5515-5d7e-91d8-2bd5ceb1751a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814519Z", "creation_date": "2026-03-23T11:45:31.814522Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814531Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fc71b587095b255d48da485d290ab83c2d170fb2b930ba6ebe5019b90ed7be01", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "632cc686-f655-5f96-af47-d63cc6318254", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495041Z", "creation_date": "2026-03-23T11:45:31.495043Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495048Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "68aff67d444cb49461384ccc104fefe41c827cf6eda6bec30666cff7f2e72e0d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "632ce104-ff31-5975-901f-878a3a15d3ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828437Z", "creation_date": "2026-03-23T11:45:30.828439Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828444Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a1d2d98a6661b8752d1ad3679eb98928af3a110f83444356d089aa2e82161b54", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "632f3abf-ef42-5302-a829-9e61dfa36a91", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490261Z", "creation_date": "2026-03-23T11:45:31.490263Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490269Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b286f4ddd11441738d5992b8da3e94fdc2f815d9dfea17aec5eb9dedce8cf2a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "63405bc0-80a7-5a87-89bd-48fec8c7269a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835772Z", "creation_date": "2026-03-23T11:45:30.835774Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835780Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e689ee12e6c00fc50a016040b0f4806ef873cc8792c0f43aa8c863a7a9d49b1b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6340b655-3f43-57e1-a258-75c16a07c83b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969347Z", "creation_date": "2026-03-23T11:45:29.969349Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969354Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ebe2e9ec6d5d94c2d58fbcc9d78c5f0ee7a2f2c1aed6d1b309f383186d11dfa3", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "634274e0-4460-5d76-9d0f-07963ff5083c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831439Z", "creation_date": "2026-03-23T11:45:30.831442Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831447Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b34989a6982c798ad8435fdc075ea340ad2a081059c9f11d0454f3bc37231992", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6348c5b1-cde3-5acd-9095-20318a5aac43", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619212Z", "creation_date": "2026-03-23T11:45:29.619213Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619219Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6ed3379d7ac1ad8bcfd13cd2502420569088ee7f1e04522ada48481d9a545a08", "comment": "Super Micro Computer physmem tool (aka phymem64.sys) [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "63504905-0cb0-59d0-8c7f-8ef86d80c487", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614980Z", "creation_date": "2026-03-23T11:45:29.614982Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614987Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e68d453d333854787f8470c8baef3e0d082f26df5aa19c0493898bcf3401e39a", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "635c9606-ff46-561a-86d8-6d739d55845d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154822Z", "creation_date": "2026-03-23T11:45:31.154824Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154829Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f5ef7639538292747b22596c39e69ea93d4e22fa88c61c7d40a297f3f5bf583b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6364052a-f4cb-553b-b50a-16b4b53f2ba6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481486Z", "creation_date": "2026-03-23T11:45:31.481490Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481501Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2662c1709399ffd679f23a71fc51ceae58948add2f5bb6f61550f348211d54ef", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "63689efd-74b9-5d34-9dbf-4e2cf876b2d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159827Z", "creation_date": "2026-03-23T11:45:31.159829Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159835Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4d8119e6113e7959f975cb880c93f6a684f465811c4a250a43ad0b6bba88d9e0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "636a702b-ae92-539b-a49b-65b37bdeb960", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817574Z", "creation_date": "2026-03-23T11:45:30.817576Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817582Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0584520b4b3bdad1d177329bd9952c0589b2a99eb9676cb324d1fce46dad0b9a", "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "636ce957-5f13-5d12-9809-2ef587b0a43a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488569Z", "creation_date": "2026-03-23T11:45:31.488571Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488577Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b9c3d1f24b6d9f8bc53e7fec105ace9ce71e934ad84b79ab72c96364131b575d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6370e251-bd39-5a56-a901-566e908e40ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479172Z", "creation_date": "2026-03-23T11:45:31.479176Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479186Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2cccda46ceddaa78ce1cb5a5fa2e0ff6d83a6f1f7fe8d1c26eff2a0cd539cf92", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "637bd7f1-a372-5468-b23d-6cf9b9c61705", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618477Z", "creation_date": "2026-03-23T11:45:29.618479Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618485Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c8cb72b9a011b60b1b9caea508b26fbbd95a1e3634af66082417381fe6544fb", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "637e8c32-1166-5bf9-8645-a58a5bdeea7b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820081Z", "creation_date": "2026-03-23T11:45:31.820085Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820094Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a55279e70f331ddbdb8d52f9b1e3af5a3462c589966283b9754cfe09821cb538", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "637f4dff-c6a6-5186-ad34-4189d9d80aa6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471379Z", "creation_date": "2026-03-23T11:45:30.471382Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471392Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "21e6d9229f380d5e9591beaa82bd93547f517af90707d7757f0e27ff4731b484", "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/fbdd993b-47b1-4448-8c41-24c310802398/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "63933b68-cd81-5626-beb1-1b23ff70e5ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971655Z", "creation_date": "2026-03-23T11:45:29.971658Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971666Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1a166e70dcaf3ef12836db1927953ee528e532cdae8165e67d776971e4cbc48c", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "63954bab-0515-52c2-8fe6-28ee216a9c6e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143892Z", "creation_date": "2026-03-23T11:45:31.143894Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143899Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bca0038cf1d952db22d8b201dec2e4c4eeeceff4b0cbb9d81974027ae4646fa2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "639fd72f-6e56-5797-9854-c2b1ecf5a44f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607491Z", "creation_date": "2026-03-23T11:45:29.607493Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607498Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1766fd66f846d9a21e648d649ad35d1ff94f8ca17a40a9a738444d6b8e07aacb", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "63ba3797-dfad-5f76-a4b9-06fb1238c48c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980081Z", "creation_date": "2026-03-23T11:45:29.980083Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980088Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a720c9a95ab33b29c19fc37fed2b4d2079a2e4b9bd861d406043bd6010fc4d71", "comment": "Malicious Kernel Driver (aka mJj0ge.sys) [https://www.loldrivers.io/drivers/412f4aaf-5525-458c-b87e-311e504b856d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "63c91180-20ca-5c75-a622-0b2273810e91", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827179Z", "creation_date": "2026-03-23T11:45:30.827181Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827187Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "582b5a3d15aaed4d078c45b9ecd7812d5df987cda6de4c7e9fd9bc31c066679d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "63df8fa9-a7eb-5351-8f05-29de8568b1b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465141Z", "creation_date": "2026-03-23T11:45:30.465145Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465153Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b2486f9359c94d7473ad8331b87a9c17ca9ba6e4109fd26ce92dff01969eaa09", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "63e2c42f-9db3-5a3c-a30f-d7511543b152", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974000Z", "creation_date": "2026-03-23T11:45:29.974002Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974007Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d783ace822f8fe4e25d5387e5dd249cb72e62f62079023216dc436f1853a150f", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "63e9c232-f698-5369-8865-0c034890a840", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481583Z", "creation_date": "2026-03-23T11:45:31.481587Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481597Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f0f87e224d93bcee82e751f24912a8000e9e650b4a5e34cd4516433d3b498736", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "63eaa8d7-a42f-5ba6-9d40-c97f6d254deb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465001Z", "creation_date": "2026-03-23T11:45:30.465004Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465013Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "083f821d90e607ed93221e71d4742673e74f573d0755a96ad17d1403f65a2254", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "63ed6003-d2d9-5761-b2b3-37cd16fc0bd6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983050Z", "creation_date": "2026-03-23T11:45:29.983052Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983058Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "36861bb32abd5ba7955aa69269d27772f75d0306485d10ed045125816422c423", "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "63ee4378-cab2-54b6-8d2c-a992824b9fd0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823659Z", "creation_date": "2026-03-23T11:45:31.823661Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823667Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2a7f423e5a686a7114cfb5cf6a6070064fafd11cbc2337000c8c14c1f33ba256", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "63ff631e-12b7-56ce-be8f-042c3d867eca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149563Z", "creation_date": "2026-03-23T11:45:31.149567Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149576Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ad0de41b0a8f65fd1e8a07f3ba20e2a833f195f31ad4706da7b74a6fb04f3a91", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "640594d7-4a65-54ec-9f77-847d3b4c01ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160304Z", "creation_date": "2026-03-23T11:45:31.160306Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160312Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "344b57aa48f2ef39cd7f1be46946c7d86c6f6ea0e018a4cc6033587cf366b299", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6414090d-24c6-5d87-9fdf-888a0f4e4a78", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474121Z", "creation_date": "2026-03-23T11:45:31.474125Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474135Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6d6f6cee30083462666718fa3cf9e83371a5df3b0826328122fa5497270ea605", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "641b611d-ffb0-5be6-90e7-7b6916bdccc6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974856Z", "creation_date": "2026-03-23T11:45:29.974859Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974881Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6d6fe20c9f7ccfe723bf7feecb5acf773a85cb61286452dc4001589f82b1a424", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "642dd934-687f-5cb8-bc6b-9ab5f3fb6c17", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983772Z", "creation_date": "2026-03-23T11:45:29.983774Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983780Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e5b0772be02e2bc807804874cf669e97aa36f5aff1f12fa0a631a3c7b4dd0dc8", "comment": "Vulnerable Kernel Driver (aka GLCKIO2.sys) [https://www.loldrivers.io/drivers/52ded752-2708-499e-8f37-98e4a9adc23c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "642ec52e-34b4-59c9-89df-11ad44572906", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475562Z", "creation_date": "2026-03-23T11:45:30.475565Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475574Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d53f9111a5e6c94b37e3f39c5860897405cb250dd11aa91c3814a98b1759c055", "comment": "Vulnerable Kernel Driver (aka vboxguest.sys) [https://www.loldrivers.io/drivers/0baa833c-e4e1-449e-86ee-cafeb11f5fd5/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "643a5106-3616-5edc-b3b4-32f5358f9782", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829220Z", "creation_date": "2026-03-23T11:45:30.829222Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829227Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19f8229e01786a26efbc4edb0a2e4487bd920e25054a9f41118c7947a4eb5794", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "64472055-888b-5233-87a7-18a1932eb478", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823890Z", "creation_date": "2026-03-23T11:45:31.823893Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823901Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "44de27f89ff24682b904d4810849fd22a5e79e989e08c34c4940b4cdb0e7698f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "645d1e4b-a68f-51e0-9796-15abc87560cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817105Z", "creation_date": "2026-03-23T11:45:30.817107Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817112Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "070ff602cccaaef9e2b094e03983fd7f1bf0c0326612eb76593eabbf1bda9103", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "646bbcd0-bd96-5c61-965f-99f1fc44f617", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968862Z", "creation_date": "2026-03-23T11:45:29.968864Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968882Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1078af0c70e03ac17c7b8aa5ee03593f5decfef2f536716646a4ded1e98c153c", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "646d9987-13f2-58c3-ac91-9e4584600946", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608068Z", "creation_date": "2026-03-23T11:45:29.608070Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608076Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "61a1f530a5d47339275657d7883911d64f64909569cf13d2e6868df01a2a72cb", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "647d660d-2536-54f9-997e-b24a65505b99", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816424Z", "creation_date": "2026-03-23T11:45:31.816427Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816435Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b9d5c61da080a0e5d2127db2bc9d44b3f3c70c202c9552150bc69c7d4c94b0d6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6487129e-6d15-540a-be35-5bbd3c3b2c0a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825467Z", "creation_date": "2026-03-23T11:45:30.825469Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825475Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c8c0e8d9879f07f7d997d099d40d23a5bced78cc68296f2800577ab3478487f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "648972ef-a734-5dfe-8422-500d7a40bbaa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160909Z", "creation_date": "2026-03-23T11:45:31.160911Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160916Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "62b03c697cbda97c47abd8fa1ee9e15261f84fb274ac52d4673dab775cd161dc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "649b83ce-df00-54a5-84d6-2b0965b294df", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142664Z", "creation_date": "2026-03-23T11:45:31.142666Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142672Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff1a608df20f499b494851dab969088196a3115bafc4999e68e4144788bf8264", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "649d9ebb-0710-5c1f-8b69-a4981f55eb1c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819336Z", "creation_date": "2026-03-23T11:45:31.819338Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819344Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "837e2910d122f44501328bb217bbcda4dffdda8739fbcbf99d57171f42d19d8c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "649ed89c-c44c-51c6-bfd3-b2eed6c4eb6d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480770Z", "creation_date": "2026-03-23T11:45:30.480772Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480777Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "31e2e5c3290989e8624820cf5af886fd778ee8187fed593f33a6178f65103f37", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "64a4bf5b-4b9f-542f-91a0-efb3f744a4fe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822529Z", "creation_date": "2026-03-23T11:45:30.822531Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822537Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "28bac5dbcdd887f35f8fef454d5df1f53c18a90c51d8222636f487a0f351f725", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "64a8b70d-ba09-5f80-8397-487b50e5b915", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622208Z", "creation_date": "2026-03-23T11:45:29.622210Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622216Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6191c20426dd9b131122fb97e45be64a4d6ce98cc583406f38473434636ddedc", "comment": "BioStar Racing GT EVO vulnerable driver (aka BS_RCIO64.sys) [CVE-2021-44852] [https://nephosec.com/biostar-exploit/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "64aa82d4-7da8-59d2-9945-0cf763a7e43e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978388Z", "creation_date": "2026-03-23T11:45:29.978390Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978395Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "496f4a4021226fb0f1b5f71a7634c84114c29faa308746a12c2414adb6b2a40b", "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/a7628504-9e35-4e42-91f7-0c0a512549f4/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "64b41444-2a48-57a5-9c2a-769dc5a6630d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608759Z", "creation_date": "2026-03-23T11:45:29.608761Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608767Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "596ada5ecd89f53ec997c6791bc8f97dd9fbe3e9433b4eb086d7f4e1843aeb67", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "64b6ae9b-e600-5e8e-8537-73e71a19bee4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812134Z", "creation_date": "2026-03-23T11:45:31.812136Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812142Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b84a41a74ed61893ec976321dc761ee72385326e7ea2f46a1238f7af86f6787a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "64b7b2bd-2105-52f2-b35f-b96d6a596a16", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150495Z", "creation_date": "2026-03-23T11:45:31.150497Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150503Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7a77dee1db0339390fa27b11bb8e9e5a42456bff8475c56897ebf075ac0edb67", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "64d337d3-b02c-55ae-b66c-df6daee543f4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820754Z", "creation_date": "2026-03-23T11:45:30.820756Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820762Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fa77a472e95c4d0a2271e5d7253a85af25c07719df26941b39082cfc0733071a", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "64d4d9d2-3681-5f76-88bc-c186456b9efd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461867Z", "creation_date": "2026-03-23T11:45:30.461882Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461891Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "be70be9d84ae14ea1fa5ec68e2a61f6acfe576d965fe51c6bac78fba01a744fb", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "64da875a-edbf-5509-902f-21ce7dfa93a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145400Z", "creation_date": "2026-03-23T11:45:32.145404Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145412Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4eaf2205cdd189cc96806bd5364a505f77ad5dbb622558cd374044965fd20658", "comment": "Malicious Kernel Driver (aka driver_e1123b59.sys) [https://www.loldrivers.io/drivers/11a73c42-26aa-446b-8560-43eecb265091/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "64e0b04d-dfe5-5e9a-8b5d-f584ef5e6dab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824004Z", "creation_date": "2026-03-23T11:45:30.824007Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824013Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c85c10c26b9941abb5e7bc3e5a01a128da7c44b8b2a24b2d2654225d48ae6f8f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "64f36027-17a5-5d2f-aaa5-a40117162dac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984729Z", "creation_date": "2026-03-23T11:45:29.984731Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984736Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab300e7e0d5d540900dbe11495b8d6788039d1cffb22e2dc2304b730a71eec97", "comment": "Dangerous Physmem Kernel Driver (aka asmmap.Sys) [https://www.loldrivers.io/drivers/d0048840-970f-4ad5-9a07-1d39469d721f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "64f70719-cc96-5d48-bdb8-840631d1a640", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613460Z", "creation_date": "2026-03-23T11:45:29.613462Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613467Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "11eecf9e6e2447856ed4cf86ee1cb779cfe0672c808bbd5934cf2f09a62d6170", "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "64f8d71e-7176-5b19-8f40-84386f638172", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152568Z", "creation_date": "2026-03-23T11:45:31.152570Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152575Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c4985e6dd1719e2b4d40e2748ea6d631fa75a8d0c36ef9f05a7bf910d7583700", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "65062a53-1930-5b23-954b-0ef08c0d0350", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459651Z", "creation_date": "2026-03-23T11:45:30.459655Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459664Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e9b433a33dc72eb2622947b41f01d04a48cd71beac775a88f3f1e4c838090ee8", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "651ca25e-48ff-5848-9ee3-bccc52173c4a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817017Z", "creation_date": "2026-03-23T11:45:30.817019Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817025Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e928948ee36fa14c99a9147cd3b8d4c8c1917c52b50857d922ac72ed55d1f8e7", "comment": "Vulnerable Kernel Driver (aka SMARTEIO64.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "654326fb-92f9-5f74-b6ab-3abce2fa978a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613424Z", "creation_date": "2026-03-23T11:45:29.613426Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613432Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c767a5895119154467ac3fce8e82c20e6538a4e54f6c109001c61f8abd58f9f8", "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6544316f-5707-53b9-819f-928dec6519cc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607452Z", "creation_date": "2026-03-23T11:45:29.607455Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607460Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "077aa8ff5e01747723b6d24cc8af460a7a00f30cd3bc80e41cc245ceb8305356", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "655f1e1e-3219-5d48-96a4-dbc9becca136", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619767Z", "creation_date": "2026-03-23T11:45:29.619769Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619774Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9c4ffe4815b5755d2609be21ba53c9157e8f71137f06fe35044406b968b80320", "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "65698cd5-87c1-544c-8b6c-92365c297401", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835349Z", "creation_date": "2026-03-23T11:45:30.835352Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835359Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "06605cc9d052e471bfe48802dbd85c8fc3dfd0c0746878a42f7659888d4fc191", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6590d364-bed4-538a-b600-88e521308295", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974384Z", "creation_date": "2026-03-23T11:45:29.974386Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974391Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f642b5e76572b80684d15bf48bb6e2b6d2743171280ab50502284808a515904", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6596fe30-7d44-5bcb-9cb5-17a79f12acbc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.986214Z", "creation_date": "2026-03-23T11:45:29.986218Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.986224Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d055be2671e136c937f361cef905e295ddb6983526341f1d5f80a16b7655b40", "comment": "Vulnerable Kernel Driver (aka VBoxUSBMon.sys) [https://www.loldrivers.io/drivers/babe348d-f160-41ec-9db9-2413b989c1f0/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "65a6a867-6f41-5395-8c87-e3c751bfd7a0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493763Z", "creation_date": "2026-03-23T11:45:31.493766Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493774Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "283f5edbbe9a4a65a7e421627a23a946233fb4dc9237ab395547f2a30f3d8f08", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "65abc760-c3fe-5026-abab-0d6f56c1dfbc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606558Z", "creation_date": "2026-03-23T11:45:29.606560Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606565Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6ba919c4ab0eff0058547e3b57442212e5d3e34be28d826fc2a191883fa18b6e", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "65b1d504-064e-5d74-b2c7-eddc67b917cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485321Z", "creation_date": "2026-03-23T11:45:31.485325Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485334Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "402d4ea7e321cf2cfbabc3908043dac1f1da6c630f9380979fcbc6c7a594c4bc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "65c04d2a-5d51-51a6-9c1b-3af7b24cc4ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816227Z", "creation_date": "2026-03-23T11:45:30.816229Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816234Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d1463b7fec911c10a8c96d84eb7c0f9e95fa488d826647a591a38c0593f812a4", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "65c5388f-c34f-5798-b031-229373ee7460", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827489Z", "creation_date": "2026-03-23T11:45:30.827491Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827497Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "adf94caaaa25cc59790e03095491cfb6cd572045bfafb2eb6d2ec54ee254dfb8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "65c6d37a-5060-5797-a936-93d4d2e12eb5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984157Z", "creation_date": "2026-03-23T11:45:29.984158Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984164Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f0605dda1def240dc7e14efa73927d6c6d89988c01ea8647b671667b2b167008", "comment": "Vulnerable Kernel Driver (aka OpenLibSys.sys) [https://www.loldrivers.io/drivers/2e4fedb0-30ed-400d-b4e1-b2b2004c1607/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "65cc3d27-977b-547c-8765-1055e2d15b12", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474650Z", "creation_date": "2026-03-23T11:45:31.474654Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474663Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fb810b820972a5817b7a7e793c3ba15eea67a234f54ed82a9db7ed57d2bce477", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "65dbd266-bd59-5e13-af5c-1197a01cee35", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818408Z", "creation_date": "2026-03-23T11:45:31.818412Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818421Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b12d0368991e9d93d9fa131dab8d535a0b15f260df062f548f859306a94e932c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "65e6f463-2105-5194-9deb-f8b7c40ea215", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984656Z", "creation_date": "2026-03-23T11:45:29.984658Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984664Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "21af8e034ca42ab24a5d1623f70de9c66eeea63d72aeb0f1846b1e04dbdf4f51", "comment": "Vulnerable Kernel Driver (aka BS_I2cIo.sys) [https://www.loldrivers.io/drivers/66be9e0a-9246-4404-b5b5-7fbde351668f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "65ec4d6f-b709-51e3-99d1-74e962ea50fd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980168Z", "creation_date": "2026-03-23T11:45:29.980170Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980175Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ad8fd8300ed375e22463cea8767f68857d9a3b0ff8585fbeb60acef89bf4a7d7", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "65f06645-229d-5bf7-9270-098096e331fa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969506Z", "creation_date": "2026-03-23T11:45:29.969508Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969513Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4e89a5a25969953961db2a2a1a5c73c8af48f7af169ac3fd098171556bf0854d", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "65f1ef83-2340-5b41-b65d-2a3120591628", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816654Z", "creation_date": "2026-03-23T11:45:30.816656Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816662Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7220924a787b57f757dd84b30bcd53eb11647eb65a94bfb6ffc6773aa6e6f1bf", "comment": "Vulnerable Kernel Driver (aka avalueio.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "660b63f3-d25c-59cb-9b38-662236b5d029", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832799Z", "creation_date": "2026-03-23T11:45:30.832801Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832806Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1fcba19e4897ac0b03116ae3e533a361cfcb7bddba880edbf6bc89b9df056671", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "661269d3-3578-5f07-9b4f-e2b4b589e70b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984191Z", "creation_date": "2026-03-23T11:45:29.984193Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984199Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6f3937451f0170a0aec3033cadceeb86ab30ee3c67add3926e116ccc20c0d9a7", "comment": "Vulnerable Kernel Driver (aka OpenLibSys.sys) [https://www.loldrivers.io/drivers/2e4fedb0-30ed-400d-b4e1-b2b2004c1607/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6612fecd-6b53-5cf7-8472-498bad7e0729", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818626Z", "creation_date": "2026-03-23T11:45:31.818629Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818637Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f5a1fa889a6ce70d3ffee1cf2da3ee2b3c0c12a60226fc91fd9df1dae87e56cf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "661cff52-c50c-59e2-a650-8bee7d2fc257", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615065Z", "creation_date": "2026-03-23T11:45:29.615067Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615072Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "952199c28332bc90cfd74530a77ee237967ed32b3c71322559c59f7a42187dc4", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6625ded1-3b30-51a2-852c-4ce8f68a7f8a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974178Z", "creation_date": "2026-03-23T11:45:29.974180Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974185Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2175f4289f3bae19b058e5a4f590c200bede255cd2716dfb054d5e0840f70359", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "662c4686-eb7d-556b-af91-0c2f5709d7ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473213Z", "creation_date": "2026-03-23T11:45:30.473216Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473225Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a3975db1127c331ba541fffff0c607a15c45b47aa078e756b402422ef7e81c2c", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "66312cbe-6971-5bfe-8601-de8e1c73cb6c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151442Z", "creation_date": "2026-03-23T11:45:31.151445Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151454Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "423ab4aecd6f5241eb64922e891f09d8e90ee37a92ced8f750be152bf990bdc2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "66345812-b972-50c0-a749-7dd872013dd5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488691Z", "creation_date": "2026-03-23T11:45:31.488692Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488698Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "301a1c82ed1a6d543be168e5d20a78b108829a0ec790a1bfc3628b80c56664ec", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6634ff5f-e7cb-5723-8b93-8bd8fea5ff9a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478571Z", "creation_date": "2026-03-23T11:45:30.478574Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478583Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8561c82c5ae1ab2a5d9214adc620875d83ed7cb9a01253988f5e5aceffe7a901", "comment": "Vulnerable Kernel Driver (aka vboxdrv.sys) [https://www.loldrivers.io/drivers/2da3a276-9e38-4ee6-903d-d15f7c355e7c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "663ea6df-11af-5773-a442-b4c7eecf50b9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607834Z", "creation_date": "2026-03-23T11:45:29.607836Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607842Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d7ddf874304556f8a10942a29b3d387cb5155a7419f87813557fe728cb14806d", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "66470292-2004-5352-9acd-6f35b66dfd00", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819260Z", "creation_date": "2026-03-23T11:45:30.819262Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819268Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2f8b68de1e541093f2d4525a0d02f36d361cd69ee8b1db18e6dd064af3856f4f", "comment": "Vulnerable Kernel Driver (aka hwdetectng.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "664ab1e1-4b9f-59ac-b95d-89e227568ff0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821329Z", "creation_date": "2026-03-23T11:45:30.821332Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821340Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c6a5663f20e5cee2c92dee43a0f2868fb0af299f842410f4473dcde7abcb6413", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "66516eff-f81b-5268-a694-f0a5b681a03a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825136Z", "creation_date": "2026-03-23T11:45:31.825140Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825148Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f736f6440a3c64238229f013e09bb45973e184a81947b6b9d5d851b7209f653c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6652387b-3163-5cde-95ac-d8c503bf397d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491419Z", "creation_date": "2026-03-23T11:45:31.491422Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491430Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f2edfc4d4a23b28f3157025d4a7235bebd649524fa3844805ddf05fbbc8ae6b0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6664b715-325d-5ada-8f9e-fd7c099ec8ac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972526Z", "creation_date": "2026-03-23T11:45:29.972528Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972533Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "263e8f1e20612849aea95272da85773f577fd962a7a6d525b53f43407aa7ad24", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "66786378-97dc-56ef-a4bc-c82cb4b4ddf5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142434Z", "creation_date": "2026-03-23T11:45:31.142436Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142442Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c22f7f12154a4d834f76210372bf9ae79cf9e5bdaa5a9a319274c2d4da73eb12", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "66835805-bb8f-5449-b98a-a821491be3b3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154093Z", "creation_date": "2026-03-23T11:45:31.154096Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154101Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c498def339dbf7392a6290a34250a44928ef97cac638651709a2ccf7b7cf9176", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6684899d-c8f7-534e-b7be-4b80a4914527", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832151Z", "creation_date": "2026-03-23T11:45:30.832153Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832159Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c0a07bf1777e2b8c94226af8b9acdfff7f8719c59262c9fc1bd4805ee40c2b1b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "668cd0d3-d1aa-5c2c-bd04-2912f66ea7b8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146322Z", "creation_date": "2026-03-23T11:45:32.146324Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146330Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bfcbc010432a89714349bd487555cec1ab5299a70f533a16d326a69e15e0c203", "comment": "Malicious Kernel Driver (aka driver_bfcbc010.sys) [https://www.loldrivers.io/drivers/dbfcce10-76a3-44a4-a9b8-d7126152a235/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "669024a2-67cd-54e5-b511-d8e03fe8efa5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611252Z", "creation_date": "2026-03-23T11:45:29.611254Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611260Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "55a69f740a77fc07073c3d077d029dfb2dbe4b673171167e7310bd857eb55982", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "66b4d0ed-270e-5798-a395-d7ec926c7de5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149727Z", "creation_date": "2026-03-23T11:45:31.149731Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149739Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "24859bbd60d50a2d8d374aa9becbd98184d542a5c78cef21be027895e663aeba", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "66b5801f-5d2c-5de7-a855-9311cae2e699", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620620Z", "creation_date": "2026-03-23T11:45:29.620622Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620628Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5ee292b605cd3751a24e5949aae615d472a3c72688632c3040dc311055b75a92", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "66b653b9-79b7-5d84-ab2f-6080b7316435", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604319Z", "creation_date": "2026-03-23T11:45:29.604321Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604326Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9fb474b921371c4679582df8484932b832345693de94e3c4a158638b4d75a19c", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "66bc2424-1c5f-5217-b316-f6d66f8b974c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488742Z", "creation_date": "2026-03-23T11:45:31.488744Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488749Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "069daefa61c2c3cc1a2cc2cef5eff2434b7782ad31a575d0ffdf3f54fd5f54bf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "66c6ae36-66da-5240-9a6c-465c9d04263e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155362Z", "creation_date": "2026-03-23T11:45:31.155364Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155370Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "15f15f3c86a787804c532e1a17473b2397b1456109f7b927b0d0f3ba2f1af95b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "66e34cf2-0695-58a8-b160-4c397985c0db", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499749Z", "creation_date": "2026-03-23T11:45:31.499752Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499760Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff7dd4ca5a70cb984d5445d754f3fd252d82acd7aee23bc9539b3f09bad49184", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "66e3933c-f20e-56e4-8321-55a62c7ce551", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499802Z", "creation_date": "2026-03-23T11:45:31.499805Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499813Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "80de49749d304bf445e1f8f0710b1a2e85580e1ab153194819edeb9c790b6c95", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "66e658b1-6b53-50cc-a0f1-5c7b68618490", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610228Z", "creation_date": "2026-03-23T11:45:29.610230Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610235Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e7ebf97a50828f00d7e70140aff5ece77c1eb728be0d9bfceccbebd14b958271", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "66e8e828-f542-59b6-bbb8-74cef653b951", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818990Z", "creation_date": "2026-03-23T11:45:31.818993Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819001Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b9912bc91b85aba24ac99e16550ed7002a44a8f935276da02ce0a7c8f0ed828e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "66eed7d0-6044-5e52-a1a6-9bb602986e7f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823553Z", "creation_date": "2026-03-23T11:45:31.823556Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823564Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2969fa0c80f89b7d56ddc48c7095b298e2e2a1d24b8512b401b97506a3ef619c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "66febed4-a11a-5228-9284-8ce79761b7cb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606960Z", "creation_date": "2026-03-23T11:45:29.606962Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606967Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "17bdeeb4447f0758c3720991d3ed43a405efb49fd2cdbb37f7b5feb349693acb", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "66ff1fe5-a896-5598-8962-27958f608e1f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979516Z", "creation_date": "2026-03-23T11:45:29.979518Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979523Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "66ffccf1-4643-56a0-92ef-76af01ce12a0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465397Z", "creation_date": "2026-03-23T11:45:30.465400Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465409Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "62764ddc2dce74f2620cd2efd97a2950f50c8ac5a1f2c1af00dc5912d52f6920", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "67070c69-11bb-5b03-8b70-0db3933a6baf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.142969Z", "creation_date": "2026-03-23T11:45:32.142971Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.142977Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d253561067550539a9aca8884846432116fac5eee9948f2c5bdce7cf61985b7d", "comment": "Vulnerable Filseclab Driver (aka fildds.sys, filnk.sys and filwfp.sys) [https://twitter.com/SophosXOps/status/1764933865574207677] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "670c55f0-9ef5-5344-8354-14ba5b9387c1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140800Z", "creation_date": "2026-03-23T11:45:31.140802Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140808Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "81bb50d82e7a8524e86aaa97be12a21d697fdb3232891cbd5c3cf6d559355cfa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6712a352-3166-554e-9201-38b568359ad0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152494Z", "creation_date": "2026-03-23T11:45:31.152497Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152505Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "31b740adf90543537cdcd20dc600cd9741ecaaa0c3b8e886e6b2abdca4e2c8ce", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6729f487-410e-52b4-9fe3-57b729f979d8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821601Z", "creation_date": "2026-03-23T11:45:31.821603Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821609Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9a3ac9361f7af572bc159f0c0abd860012eae7b5cfb2d884d2ad3126217241cf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "672af660-b0a3-5472-9a65-cf590cadb0eb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606706Z", "creation_date": "2026-03-23T11:45:29.606708Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606713Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8c2be8539dab5df7574557c5946862ad15e44b1659db96b9ec4a8a7ec43636ce", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "672f6010-ae93-585e-bd71-f1e8a6c575e1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814040Z", "creation_date": "2026-03-23T11:45:31.814043Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814051Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "695aaf49d9179944f8aeb9fe09cfe73ee690224a9fb569a81fe42872cbf893ae", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "673bf240-4878-5a1a-ab0a-64e08550949e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817197Z", "creation_date": "2026-03-23T11:45:30.817199Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817204Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8a982eed9cbc724d50a9ddf4f74ecbcd67b4fdcd9c2bb1795bc88c2d9caf7506", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "674231a5-0043-5d86-8a1b-fd888e815bce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143844Z", "creation_date": "2026-03-23T11:45:31.143846Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143851Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2a9aa7d47997abe627a9a13a72c59a8e1eda71bbcf1956bab29e511463e1908d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "674a286c-b967-5fce-af0b-04109eb70da4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490557Z", "creation_date": "2026-03-23T11:45:31.490559Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490565Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "626b55bb5118e8e611ffadf79ad2e7606255c343caf9efc844f1dda6ba2406ea", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "675a4fbb-d4aa-5fb9-a4d8-69d80cdc4185", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614945Z", "creation_date": "2026-03-23T11:45:29.614947Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614953Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d92eab70bcece4432258c9c9a914483a2267f6ab5ce2630048d3a99e8cb1b482", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "677686fe-cfe5-50e6-a2f6-ede9cfdaea60", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821357Z", "creation_date": "2026-03-23T11:45:30.821360Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821369Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5c80dc051c4b0c62b9284211f71e5567c0c0187e466591eacb93e7dc10e4b9ab", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "678a9bf9-e627-56f8-acfc-12341f6676c8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622366Z", "creation_date": "2026-03-23T11:45:29.622368Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622373Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b2ba6efeff1860614b150916a77c9278f19d51e459e67a069ccd15f985cbc0e1", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "678f1f81-658d-59a6-b3fe-5b7ba04e6943", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815215Z", "creation_date": "2026-03-23T11:45:31.815217Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815222Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "21e65f2c00631ac77fea052ed981acf655103ca877d7cbab573a79b93fba9d5b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "67949cc7-1a42-5a80-8939-457a73802c3d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975604Z", "creation_date": "2026-03-23T11:45:29.975606Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975611Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "da11e9598eef033722b97873d1c046270dd039d0e3ee6cd37911e2dc2eb2608d", "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "679b3e2a-b621-558b-a9dc-87af2ac4bf7a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975290Z", "creation_date": "2026-03-23T11:45:29.975292Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975298Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4cd6dbc00264998beb4f4c09c10e3577b6e0579380856e205a9335b331f4261d", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "679f8097-3389-5a09-9d00-d91c1e620a2d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495169Z", "creation_date": "2026-03-23T11:45:31.495171Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495177Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c02c6e10d05715f21b6fdee9b3ed02a48106a0c39a0a8ae90a0a4740faad0e59", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "67a00de6-d15b-5a3c-9c98-c971571c694c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142575Z", "creation_date": "2026-03-23T11:45:31.142577Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142583Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1b83e89b7dc79199184516cb3ab12d09d574e02db2bbbf96a2d08ae56087e747", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "67aaecd0-4e70-53a3-baf5-2fbbe962b32a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834815Z", "creation_date": "2026-03-23T11:45:30.834819Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834828Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8d10013155f36d0a9343b8dde6c7851e6bbdabc14f23b56ca66692c8240775ad", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "67acd985-1c04-5d1b-af08-fcac6a0d1de0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484422Z", "creation_date": "2026-03-23T11:45:31.484426Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484436Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fb0f056c45a8b828e452797415b027030f056820ed12fd693ee20cd92318e19b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "67b1e0e5-c386-5460-a7cf-17f2a5dc4528", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155487Z", "creation_date": "2026-03-23T11:45:31.155489Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155495Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a909f65973d55078973ff6632e2f84fb2378392eadf01b04eb373bed9f8f33f9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "67c1a957-7697-5a68-b50b-92eb7f4f0d4e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605120Z", "creation_date": "2026-03-23T11:45:29.605122Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605127Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bf80a8d047b6dbd239e3e6869b931c31a62de059b24bd76c3564df9125b5aac3", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "67d89456-928c-5071-820d-d708e96f3ce1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967261Z", "creation_date": "2026-03-23T11:45:29.967264Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967273Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "63d61549030fcf46ff1dc138122580b4364f0fe99e6b068bc6a3d6903656aff0", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "67dc737d-9d23-5aa9-b22f-52f2b414088d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810733Z", "creation_date": "2026-03-23T11:45:31.810735Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810740Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c0778ad68d1485165c7295582d49f565912300972b0779bd4a9a1bfb0730448c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "67f2e03b-64c0-553e-a24c-64a3c956439f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977729Z", "creation_date": "2026-03-23T11:45:29.977731Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977737Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cc383ad11e9d06047a1558ed343f389492da3ac2b84b71462aee502a2fa616c8", "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "67f41213-84f0-5cf2-a2cf-3db8860720f6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621846Z", "creation_date": "2026-03-23T11:45:29.621848Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621853Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "12af7c39519e16307c2c62a84ca40017b43acf7fa90ec97c182701ffcffa1b61", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "67fc1afe-44f9-5c8c-a893-7088b12e29c0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621599Z", "creation_date": "2026-03-23T11:45:29.621601Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621606Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "910479467ef17b9591d8d42305e7f6f247ad41c60ec890a1ffbe331f495ed135", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6806dd67-8e9e-5764-b246-0e030241ad7e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480909Z", "creation_date": "2026-03-23T11:45:31.480912Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480922Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0a310c13415346c957240adfd34f0c7cdc893e52b3bdfe6c7dc0f779bef69d5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6814e803-0c08-5842-a4c3-7c0766c99a17", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976660Z", "creation_date": "2026-03-23T11:45:29.976662Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976669Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2a30ad675142cf411e7e5f5c53c6423de570a398295b0956130a7a7d77383103", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6836d735-b0ac-58ca-854a-53372572dec7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470042Z", "creation_date": "2026-03-23T11:45:30.470045Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470054Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d67899bbb43fec01b10b33105eb970d44aac5b81dd22cab8bf2d86302f6d08a8", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "68392165-efae-5b5b-a804-d50676a26e74", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812616Z", "creation_date": "2026-03-23T11:45:31.812618Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812624Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "180eddf47ade5cc9a22bb564b989d4671dee90eded8e6317f34cf298ba27d4e5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "683cfa93-682f-5cbe-9b0b-12cc2b542bde", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493060Z", "creation_date": "2026-03-23T11:45:31.493064Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493071Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1485550a497d9d37a6590b89670694b3d543f4c2dbabd11ae5998c169483a34f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "68876d9d-0013-5845-85bc-ea99fb5d5f86", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622926Z", "creation_date": "2026-03-23T11:45:29.622928Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622934Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c0752dc13548fe8d3b5a7a73c04ebcd7bcfa5e4ecec9ba233d193bd36ed4b54e", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "68954278-6904-5a9d-84a5-795295634088", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972807Z", "creation_date": "2026-03-23T11:45:29.972808Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972814Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "230fe99d425e870cc03383b195d5a8c0ef3d191baaa4104f6f4cdee4960c48fc", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "68ae7d1d-0f4a-571b-9b35-7246af338288", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146186Z", "creation_date": "2026-03-23T11:45:31.146188Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146194Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "971fb60f6027f273c78d9cce3c64d2d967266f64e55c11f1280f0648c517b9a4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "68af214a-3326-579d-a5c1-e272459850c4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611966Z", "creation_date": "2026-03-23T11:45:29.611968Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611973Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "69e3fda487a5ec2ec0f67b7d79a5a836ff0036497b2d1aec514c67d2efa789b2", "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "68b5ff02-1ad9-5241-8075-da91eb972cef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149698Z", "creation_date": "2026-03-23T11:45:31.149702Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149711Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "81e7666f31109310bef267df23fad8165004b72ef8ff75a6ae45026bceb33a66", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "68ba57f4-7093-549f-a381-76c1c838ecd2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808450Z", "creation_date": "2026-03-23T11:45:31.808452Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808458Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dbe13204cff54a9a8fd19aba5b40e994bfe29f1bfe18547a5975e546ca4b4bb9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "68cf5ceb-eb03-55d5-ae1e-cd261e05f4d9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830359Z", "creation_date": "2026-03-23T11:45:31.830361Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830367Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "661e45e398bcaa6be493ac9bdc0eae5f604d92c9f72c0a382ce95ea609c66339", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "68f5c4da-7818-5ff9-8e5c-7adcc5a9fe50", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.142868Z", "creation_date": "2026-03-23T11:45:32.142870Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.142892Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae55a0e93e5ef3948adecf20fa55b0f555dcf40589917a5bfbaa732075f0cc12", "comment": "Vulnerable Filseclab Driver (aka fildds.sys, filnk.sys and filwfp.sys) [https://twitter.com/SophosXOps/status/1764933865574207677] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "68feafde-76f3-554d-826a-9bf36020231e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607293Z", "creation_date": "2026-03-23T11:45:29.607295Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607301Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5f7e47d728ac3301eb47b409801a0f4726a435f78f1ed02c30d2a926259c71f3", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "69021801-4155-5739-b3da-a4c524b16832", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150581Z", "creation_date": "2026-03-23T11:45:31.150583Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150589Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e9f54bd1f5d87827e228c285661303da1ecf8f4b566ef566487b356df5afaf75", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6904b38d-5e71-5ea5-9530-ecdff1f51fce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491778Z", "creation_date": "2026-03-23T11:45:31.491780Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491786Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0e8a8c2d6cab17e8f29a8ce5eededc2be0bf373c71dc23b3b24a03e172cef151", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "690f0ca7-2a6f-5d89-bcd1-707bfadcfc6c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820443Z", "creation_date": "2026-03-23T11:45:30.820445Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820450Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "71423a66165782efb4db7be6ce48ddb463d9f65fd0f266d333a6558791d158e5", "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "690ff1ef-3024-5d4f-9b98-407823a40d58", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983938Z", "creation_date": "2026-03-23T11:45:29.983940Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983952Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "57d36936fbf8785380536b03e5d9be172e5dd5c3bf435e19875a80aa96f97e1f", "comment": "Vulnerable Kernel Driver (aka iomem64.sys) [https://www.loldrivers.io/drivers/04d377f9-36e0-42a4-8d47-62232163dc68/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "692308e3-90eb-5cea-9242-14fe798ec6a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453254Z", "creation_date": "2026-03-23T11:45:30.453257Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453266Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e9c236ed39507661ec32731033c4a9b9c97a6221def69200e03685c08e0bfa7", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "692ef2f3-73fb-5e40-b115-a7e1e8a83eb6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485225Z", "creation_date": "2026-03-23T11:45:31.485229Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485239Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "25840fd4b3d38ec389e0c24264e2d1bb1a6fa6942d62c8dcb36dc0033044ffc0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "693a9dd6-8888-51b9-b490-40efe9c3a364", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151628Z", "creation_date": "2026-03-23T11:45:31.151652Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151661Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c71ce7ec68a7ac488a512a97b0e2e63e6c7fcda46f6192ffdffae4d89fc4d650", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "693d8e1c-85b7-5323-a1f2-8b018ad7d3e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145718Z", "creation_date": "2026-03-23T11:45:32.145720Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145726Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cba6df77d819fc098c160402a47ccb616414cbe7e42ea91417cbb5941e04ce41", "comment": "Malicious Kernel Driver (aka driver_1afc1d06.sys) [https://www.loldrivers.io/drivers/d7773616-9860-4768-b6a2-d74f32c23b4e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "694235cd-f3e7-5470-890a-f3b1a16ec980", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154246Z", "creation_date": "2026-03-23T11:45:31.154248Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154253Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c30da1c7ddbc765f29372789babc58dd9300002d200c8f65111e542e335abb86", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "69625a58-e2df-5bef-bdd9-0ca510baecef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608404Z", "creation_date": "2026-03-23T11:45:29.608406Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608412Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e553f5f3b03c3ace8aa47f74df13336873c0ea72c9a192eeb08b59555e007540", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "69665441-1b67-55f0-b0c4-cba7aa46e860", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968258Z", "creation_date": "2026-03-23T11:45:29.968260Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968265Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "910aa4685c735d8c07662aa04fafec463185699ad1a0cd1967b892fc33ec6c3c", "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "696ba961-8e87-5a09-85c5-f3f4b8f9c97f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479634Z", "creation_date": "2026-03-23T11:45:31.479638Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479648Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4eecc35524994dc1aa9a21aeb84d3f46463308ea7fb711ec7d7740727c470aae", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "696c56bf-a3d4-51e1-9e39-72e65068399b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830752Z", "creation_date": "2026-03-23T11:45:30.830755Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830760Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "902b3541c697eb5240438850e952dea654b9d4cbb27f1883f642b41da1ce9fd4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6978114d-3277-5a29-baba-fe59139a80e1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148834Z", "creation_date": "2026-03-23T11:45:31.148836Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148841Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "27ec6df3c20c75a5fda013b1454eec3a5732e3abc6e272e306c86be0b41afaf4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "697a50bf-e127-5784-9625-795b96f3c50c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150755Z", "creation_date": "2026-03-23T11:45:31.150758Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150763Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8ff1f634c99c0e83bcde4f09c567d42d506619e52a032988963324927e6812cf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6985fa03-155e-5140-9019-e4539a2bec00", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972388Z", "creation_date": "2026-03-23T11:45:29.972390Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972395Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "83aad7f91c4ebec89fb63e60ccc05628281aa0439362097bd91c69f4b74470bb", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6995d290-c9be-5c6a-82f3-1e96964c8ea4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814575Z", "creation_date": "2026-03-23T11:45:31.814577Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814586Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47337163257da1cb0bd32096b8839f15cf41779e13eba540c9b993e011e186e6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "699c3610-d557-5951-8adb-cdcf28d2c4e4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834638Z", "creation_date": "2026-03-23T11:45:30.834641Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834650Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "73e1bc654fe12c42b4f16a4e5294e2a8087e203447c9ee7357e32fa4fd0bd0c3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "69ab438e-c7ea-598c-b39e-cff947f039ae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153119Z", "creation_date": "2026-03-23T11:45:31.153122Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153130Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "556266d9e0ae434c1f5a96ef2dc3d5acc07f2c618f398c0c257fa20448ad978f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "69b46593-d590-5f1a-a8ff-8e4acb3441ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159122Z", "creation_date": "2026-03-23T11:45:31.159124Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159130Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fe6557bc353476efb85bf7e5d4cb864c2a0ed1caca36d6c4f6538fd96ee4ee24", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "69b7f788-6fdc-51ca-a1c0-948af80233d1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809469Z", "creation_date": "2026-03-23T11:45:31.809471Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809479Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c3e5821f204424581ca926b85c708e35399f6e959d51e9df0a2e4be5d9f7cca6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "69c75ef9-497d-5b6c-9f64-a9b3f1a323a4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149753Z", "creation_date": "2026-03-23T11:45:31.149755Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149761Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e11a002974e08ff480342e530fa5848fc8235ff1168286701a74080ead79262e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "69c76cec-67d2-5fea-aef7-2c6dc11c2151", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979291Z", "creation_date": "2026-03-23T11:45:29.979293Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979298Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a4ca4a0932afa09e8df3469768f5ac6feaff2b7ae27ac208a218288fc4fbf102", "comment": "Vulnerable Kernel Driver (aka d.sys) [https://www.loldrivers.io/drivers/7a7630d6-d007-4d84-a17d-81236d9693e1/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "69cb304d-3073-5f46-9589-56fa758a8789", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823601Z", "creation_date": "2026-03-23T11:45:31.823603Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823608Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fe1d76944b23d7ddc313ff2c1becc62e9b58cb325b8aa2fae960e22cd7eef0e8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "69cd690a-8ca9-574a-a00b-20eb4c215ba4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481841Z", "creation_date": "2026-03-23T11:45:30.481843Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481848Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "00c3e86952eebb113d91d118629077b3370ebc41eeacb419762d2de30a43c09c", "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "69ce4409-7199-5729-8dac-0e86195c4951", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980396Z", "creation_date": "2026-03-23T11:45:29.980398Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980403Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d59cc3765a2a9fa510273dded5a9f9ac5190f1edf24a00ffd6a1bbd1cb34c757", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "69d0b8e8-800a-5c84-9111-25de8534f9f2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835610Z", "creation_date": "2026-03-23T11:45:30.835612Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835617Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6d660d8f547ba9791500e2a36a7091142ad565291fadae767a4cdf55e4dfc962", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "69d6419e-92a2-51d9-93cc-4ce9b1452052", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159993Z", "creation_date": "2026-03-23T11:45:31.159996Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160002Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f365cb2c6488bcd20faa434f9f4abaab59360bd2dfb8f484c893ae66f505b6fd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "69de5ba6-9be5-51c7-a09b-85aa3fda42d9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621054Z", "creation_date": "2026-03-23T11:45:29.621056Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621062Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b2b37ef379ada79d2abe78375312bfcd4b518139bc525a522c2a6329ba097cc4", "comment": "Fujitsu Vulnerable Physmem drivers (aka ADV64DRV.sys) [https://www.loldrivers.io/drivers/24fb7bab-b8c3-46ea-a370-c84d2f0ff614/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "69dee7f2-7df0-55a0-9c9d-475c79bd56ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153631Z", "creation_date": "2026-03-23T11:45:31.153633Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153638Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "209e1456e53179a845a26b4a065aa3c599d62e661f2333fa7c25ec62d22328f2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "69dfec27-d554-5c70-b04f-c8c2152cd167", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984954Z", "creation_date": "2026-03-23T11:45:29.984957Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984966Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3171d7af852e8b6be4651c415ea9490568475c45ecaa02a33dda9babb1643b07", "comment": "Dangerous Physmem Kernel Driver (aka BS_Def64.Sys) [https://www.loldrivers.io/drivers/4a80da66-f8f1-4af9-ba56-696cfe6c1e10/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "69eb0700-763f-5e83-b7ae-70c29e868481", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827682Z", "creation_date": "2026-03-23T11:45:30.827684Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827689Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "154edec7928d9b616d12bbdc35f9b2b67b9591f9de4129f41b87f9868868110e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "69f8bad3-7f18-5ccb-9af6-b3a9f764a5ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466242Z", "creation_date": "2026-03-23T11:45:30.466245Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466254Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7824931e55249a501074a258b4f65cd66157ee35672ba17d1c0209f5b0384a28", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6a0ab366-74ee-52a6-8050-40b6a8b23686", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967763Z", "creation_date": "2026-03-23T11:45:29.967765Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967771Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8bc88ce0b5d4b4d42fe51f869b7b4fd34eaa17d04c8058b93b3536129721a129", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6a0c75a6-5a18-5412-bb1a-3eaff32ad9fe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152236Z", "creation_date": "2026-03-23T11:45:31.152238Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152247Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab93eb13a7362324b0d89549505c747b572382d363ee9c89418a671a56342811", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6a24fff6-a7c5-51a3-8301-d792efccc7bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453724Z", "creation_date": "2026-03-23T11:45:30.453727Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453736Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "00e341c11664a6330122830344bce02aab886143bcaf8f642ab8abc57d80f1e3", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6a2fa299-1c5c-5eda-a779-3d3e6dff2041", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143861Z", "creation_date": "2026-03-23T11:45:31.143863Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143881Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d6c0cce3aef9b8ee4a8323818434c67b1563096ec46738b7475027d582c2b11b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6a4ab4c6-344c-5033-928e-c609b0e31a25", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622349Z", "creation_date": "2026-03-23T11:45:29.622351Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622356Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "72288d4978ee87ea6c8b1566dbd906107357087cef7364fb3dd1e1896d00baeb", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6a53ba09-626e-5d84-95ef-d6c1c68b39d8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475827Z", "creation_date": "2026-03-23T11:45:30.475831Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475839Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "00c02901472d74e8276743c847b8148be3799b0e3037c1dfdca21fa81ad4b922", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6a56ce7a-0600-5b8f-9eef-5e482e6b45ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810398Z", "creation_date": "2026-03-23T11:45:31.810400Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810405Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8b0e6af5764304da088fd609f86da118fbc1372381b5701b907f83400ca69e94", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6a59d775-fe31-5e57-a7e1-44b24dd0f624", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468107Z", "creation_date": "2026-03-23T11:45:30.468111Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468120Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "db7a15aa5b85845831dcdcebf837b22cf43fa572dd9cb0bb0d264af519b8d406", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6a5aeb6a-9beb-5e91-9d3f-0eaf0af44aea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493653Z", "creation_date": "2026-03-23T11:45:31.493657Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493665Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f868341ee5cb31b1c8d61d246b0c2745fca5a571186fae4ae724837059c32df8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6a5c110c-7065-518c-9d85-e301b54f24b4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154024Z", "creation_date": "2026-03-23T11:45:31.154026Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154031Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ad27a4b2ac4df42b49b935e71da004afc7ac7b2779050e2a3b778da1e840a941", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6a60ba86-44b0-5b78-b2e5-2dd3df95fdd6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973844Z", "creation_date": "2026-03-23T11:45:29.973846Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973852Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "97b32ddf83f75637e3ba934df117081dd6a1c57d47a4c9700d35e736da11d5bd", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6a666cee-2bbc-51ba-932f-f57c86e0c592", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621390Z", "creation_date": "2026-03-23T11:45:29.621391Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621397Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5ae23f1fcf3fb735fcf1fa27f27e610d9945d668a149c7b7b0c84ffd6409d99a", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6a6db6d4-b17f-59da-b379-25f08c28a210", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487808Z", "creation_date": "2026-03-23T11:45:31.487810Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487815Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "39326a1bcb6a96dabcb9dfb519f880680eb39f35ea495618637952507c6dbfec", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6a71118a-9d04-564d-a915-11bc0f4e7c42", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827774Z", "creation_date": "2026-03-23T11:45:31.827777Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827786Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "78f415efdf3a409abd1d45320264bde4a1862f56d1cb9216f3e2f9a2d7171809", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6a77e505-957c-5c2d-9cdd-96065b21bc3c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146727Z", "creation_date": "2026-03-23T11:45:32.146729Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146735Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c5400ae731464079590aad494bcf2e0799bb4281ea49baa9580ab2f1ee207861", "comment": "Vulnerable Kernel Driver (aka ACPIx86.sys) [https://www.loldrivers.io/drivers/fd6c52b1-aeaa-4d89-8051-91acc68c3270/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6a7a98f8-e3bf-50a9-ae75-22ca4a7206de", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971579Z", "creation_date": "2026-03-23T11:45:29.971581Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971586Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "de99cea1cb680816afa10d2629a8067af1dc289d2d162a21b9dba71eb0e47745", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6a7b0d5a-1f35-5d7c-bcd7-b4a6653164a7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808631Z", "creation_date": "2026-03-23T11:45:31.808633Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808639Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8fdc7fe94185ea96f4af7a513d7644ec9cb66cce3207358cbd8dc330caf7bc85", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6a7b29ef-b663-5cf5-b3da-4fc999013779", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615849Z", "creation_date": "2026-03-23T11:45:29.615851Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615857Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e5648f892460e2a2a450519b523007ca6973a3679a59c07582aa5bdbd6584d4", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6a8cdd55-f402-5fef-9d29-26b4ab762e66", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823682Z", "creation_date": "2026-03-23T11:45:30.823684Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823690Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7acc162be849c4f95d8d74c3f5aa97681c62406f604bdc5e3cf4d9993dcfcc80", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6aa4fec8-482e-59e2-b1a8-082a6b9960c2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967530Z", "creation_date": "2026-03-23T11:45:29.967532Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967538Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6aaa0071-6503-50ed-b481-ac5658890a6a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609540Z", "creation_date": "2026-03-23T11:45:29.609541Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609547Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b5433ec27586bdd8d2ef606f9212d8ed75ae3ae2e201a1acaf325d9b12239df8", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6aab1a7b-6d25-57a3-b4d4-18edb5bd340d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609041Z", "creation_date": "2026-03-23T11:45:29.609043Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609048Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "17927b93b2d6ab4271c158f039cae2d60591d6a14458f5a5690aec86f5d54229", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6aac6845-a0b9-5b58-90ab-518a73c39e9a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487558Z", "creation_date": "2026-03-23T11:45:31.487560Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487566Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "34a49a7c6263fab5bb04eca3a281865480cc26183b4a09aa27f54948e9b3f211", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6aae14c1-b24d-54ab-83dc-4f746eaf28f7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826639Z", "creation_date": "2026-03-23T11:45:30.826641Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826646Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4a42fbb4f43ce223f272ab104cb4548d65b51370e7e3309bbecf94f78f388d0d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6ab2c510-a228-5c45-9d53-5558473c722e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604071Z", "creation_date": "2026-03-23T11:45:29.604073Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604079Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8be482157bdb504cc35f1126e31f240e0faf6890790c65c58ec3328f58c780d8", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6ab3aa6a-a9f1-5cd2-beef-4bdb06dc2ea0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832902Z", "creation_date": "2026-03-23T11:45:30.832905Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832913Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "17af7d992ea688cb58092a9cb4e97242dee798b6b8598df58919bd816a487f72", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6abe76f7-30e2-5058-9049-75c7645e33a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979567Z", "creation_date": "2026-03-23T11:45:29.979569Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979575Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e307ebe2d43cc8e290e5ade032a6e38bc6961439f92d6e99b954bf1368a975ef", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6ac353ef-113a-5248-aa3e-db023b0e14b4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491195Z", "creation_date": "2026-03-23T11:45:31.491198Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491206Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aa5453e36a0bb0cef26d3708ef568443e42bfe2780db5bc2ac9f8e0dacf35243", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6ac6cbb3-b6cd-5fe3-b382-efd22faf55e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492701Z", "creation_date": "2026-03-23T11:45:31.492705Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492714Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "965428e52c4c1cb355cbac05e8dd5549fa46e71d10d7c8766e2603df5ac048d4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6acaf915-d2be-5af7-9ac0-ad0b2b9137f3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149396Z", "creation_date": "2026-03-23T11:45:31.149399Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149408Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "96145b53c3844ec1ddc23fb0ef29cb17e297a0bdec6215d5f4d62ebda5e62a6b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6ae23888-b7cf-5232-a08a-ece352b71c8c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971176Z", "creation_date": "2026-03-23T11:45:29.971179Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971187Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "filename", "value": "mimidrv.sys", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6aed2c9c-f9c0-5a13-8631-0a0902f6da1e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833372Z", "creation_date": "2026-03-23T11:45:30.833376Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833384Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "48b6357abca6278706e2c431fd1cc34a2ab7971b65e496cf19f164a602838a34", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6af166f6-b9f4-547e-8d45-e6831447f86c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494083Z", "creation_date": "2026-03-23T11:45:31.494086Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494095Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c78e942bbdff760ab41f3266bc593114e35a15d3f46b5de370a21f2c3ea4e5b0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6b0cbdc8-a97b-5df4-95ec-48dca8cb3c73", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144939Z", "creation_date": "2026-03-23T11:45:32.144941Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144946Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d1598c68202647a9d029b0abb2737f3701359ab433677b51bd83459de7155677", "comment": "Malicious Kernel Driver (aka driver_290bc782.sys) [https://www.loldrivers.io/drivers/f5c1a46f-21e6-4b06-b212-2dc55b699497/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6b0f6788-686d-55dd-982a-84b9f2cc1f01", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457393Z", "creation_date": "2026-03-23T11:45:30.457397Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457405Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8ef59605ebb2cb259f19aba1a8c122629c224c58e603f270eaa72f516277620c", "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6b12aa25-1b3f-5956-8b57-7e1d8ad018e0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968987Z", "creation_date": "2026-03-23T11:45:29.968989Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968995Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8cfd5b2102fbc77018c7fe6019ec15f07da497f6d73c32a31f4ba07e67ec85d9", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6b17b320-4771-523e-ae8a-b69080f409e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614579Z", "creation_date": "2026-03-23T11:45:29.614581Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614587Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "56a3c9ac137d862a85b4004f043d46542a1b61c6acb438098a9640469e2d80e7", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6b1eedb3-df77-5a25-91b6-90a19bf2d768", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967148Z", "creation_date": "2026-03-23T11:45:29.967151Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967160Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "15cf3ce2a0ee32488de26222492842a378d6b8af6924578b35dac89fb0c7cb5c", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6b27bb1d-47f9-5210-a780-c005f61d445c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483372Z", "creation_date": "2026-03-23T11:45:31.483376Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483386Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9f5e3fb2163d42e5c48164c02eda6e3da31c42d054f4103cea2f1c0da445d843", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6b294ad6-d7b5-5293-b497-fc6da62d6048", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618202Z", "creation_date": "2026-03-23T11:45:29.618204Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618209Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "835733590a778f48dae1df4e33da8455b89449fed3e04fa19b64bbdcb6a530db", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6b2af974-52f1-570a-bcae-a6d2e57afe0a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819324Z", "creation_date": "2026-03-23T11:45:30.819326Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819331Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "39b8c4549fcf28f4b5d8aee04bf170f648272197a631c3487a34fdb8d4a826b6", "comment": "Vulnerable Kernel Driver (aka hwdetectng.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6b386362-a615-5dc2-94ca-e74e89620d75", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973269Z", "creation_date": "2026-03-23T11:45:29.973271Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973277Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c1bbe628f79528417ea741dfad2f589fc4e5c62152e632a89ed080da029d5384", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6b3bb91b-dd74-5605-9ca2-cf34e93456a9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475444Z", "creation_date": "2026-03-23T11:45:31.475447Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475457Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e1335392b288a7006aa03d289559998f8870b9bdca139e12e3f7c5a1c14b8304", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6b4021dc-d69f-5e00-97e4-0e582ffa8778", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809026Z", "creation_date": "2026-03-23T11:45:31.809028Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809034Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "93710294ca4c54305bbd016842276f32b8895002c6c2ff09e653ceb3bc05dec0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6b43793f-c824-5758-a3fc-74a4e77739c9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827699Z", "creation_date": "2026-03-23T11:45:30.827701Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827706Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cc5df3459b53df65b45eaf3541723192563133f9d07f4aee68c21556d5ac4bb9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6b5c7d85-f321-5794-91c0-530f342867ed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822106Z", "creation_date": "2026-03-23T11:45:31.822109Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822117Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9c832d3704fa2bab90a7eff166fc143f7ad14f8e2390224ce7fff4065a7bf266", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6b5e1f9d-75ef-5dbd-ab26-9fe8482ef160", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808667Z", "creation_date": "2026-03-23T11:45:31.808669Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808675Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "35d7873d44f2dc85283378765ccaf73d81b9bbe97113aa10cca1a0386048f4f8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6b666413-53e3-5cf4-b79c-b7ae787c28a5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977054Z", "creation_date": "2026-03-23T11:45:29.977056Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977061Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "filename", "value": "WindowsKernelExplorer.sys", "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6b712316-3bbc-547b-93d1-7031be42d17a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606350Z", "creation_date": "2026-03-23T11:45:29.606351Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606357Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd1beb64cd67169d57ca4dbc602a94f74891962221bb49c09abf3339ce35bc90", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6b7eb322-7599-57ef-97a1-79a86d1f9484", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620352Z", "creation_date": "2026-03-23T11:45:29.620354Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620359Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9790a7b9d624b2b18768bb655dda4a05a9929633cef0b1521e79e40d7de0a05b", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6b874d3a-56d7-5fa5-b11d-0d576f6cb47e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821655Z", "creation_date": "2026-03-23T11:45:31.821657Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821662Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e7401e82c5bc55dabde99f6c1cb3257d0bf11c7b10fd7567d0710ee1584671c0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6ba02586-2ef0-5e57-97ee-10e6deb7621a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604843Z", "creation_date": "2026-03-23T11:45:29.604845Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604850Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "27cd6ce9797c1a477879b1045751ff8cb54facacb5176f381e17db8d62ebf96e", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6bacdcf1-0d18-5e54-b32b-eab628799243", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146492Z", "creation_date": "2026-03-23T11:45:31.146494Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146500Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c125ca2f5ea8abbb9ec563dd3208b3fda955b730c3c9362748900c3d59af9c8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6bc5833a-e484-5b9d-b14e-f00fa03078e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606900Z", "creation_date": "2026-03-23T11:45:29.606902Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606907Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "083828dd2e4afe22f5d27b56bd7f5a60e43aea7ec8f8cb0a138be84ee639a09c", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6bcacfb9-dfa4-5206-bd03-e39bcb888d9a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812117Z", "creation_date": "2026-03-23T11:45:31.812119Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812124Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7a783f9ff531340c29d7c8301e2fca1a2d4580c664da4bfc5f7d08c3a6e80c15", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6bcbc73f-0a67-53cf-9f0f-e336f5c240b6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967512Z", "creation_date": "2026-03-23T11:45:29.967514Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967520Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d0a03a8905c4f695843bc4e9f2dd062b8fd7b0b00103236b5187ff3730750540", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6bcd326d-8c49-5b36-b361-7a4c36af7ab6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612334Z", "creation_date": "2026-03-23T11:45:29.612335Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612341Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fb6b0d304433bf88cc7d57728683dbb4b9833459dc33528918ead09b3907ff22", "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6bcf078e-a957-5592-87b0-f77f9ef6a727", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608928Z", "creation_date": "2026-03-23T11:45:29.608930Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608935Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6bcff632-d15e-5cf5-9368-546e98452cc6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472795Z", "creation_date": "2026-03-23T11:45:30.472799Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472817Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4d5059ec1ebd41284b9cea6ce804596e0f386c09eee25becdd3f6949e94139ba", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6bd18258-f020-54b5-bdc9-8d83baa06920", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452595Z", "creation_date": "2026-03-23T11:45:30.452598Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452606Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "43f88737fcdc8cd913ec2643c1841c87794f987e98b1432dd6220f769183467b", "comment": "Malicious Kernel Driver (aka 1fc7aeeff3ab19004d2e53eae8160ab1.sys) [https://www.loldrivers.io/drivers/aaf8ce1a-e11b-4929-96e0-5ec0666cef2c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6bd25302-32b6-5d83-a23b-ed8b7dad738e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.471563Z", "creation_date": "2026-03-23T11:45:31.471567Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.471577Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ebb0ca636243f26c37d5172cb9290620a733b75400c5678174be0c22fc9ec9d3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6bd875fd-b393-5e79-8096-554a59ae5b80", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475124Z", "creation_date": "2026-03-23T11:45:31.475128Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475137Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "70eb61b8464748d65366ad8d7ef9d971c6525bf556137c2603de2283a3f6933e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6be3a5e4-dd40-5d85-9e37-f7f4c1be723f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462029Z", "creation_date": "2026-03-23T11:45:30.462032Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462041Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "deade507504d385d8cae11365a2ac9b5e2773ff9b61624d75ffa882d6bb28952", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6befa781-66a1-5aa1-82c2-f7efee44f44e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967586Z", "creation_date": "2026-03-23T11:45:29.967588Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967593Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0c42fe45ffa9a9c36c87a7f01510a077da6340ffd86bf8509f02c6939da133c5", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6befd971-db91-5895-9d4f-6dbf25976eca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823007Z", "creation_date": "2026-03-23T11:45:31.823010Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823018Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "11608d588b2fa812260ab29907f63eb05f692a61c0ebdb8ef2e9983ca04016fe", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6bf87be8-1d58-5d0b-8df0-9bcc347f543f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818101Z", "creation_date": "2026-03-23T11:45:30.818103Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818109Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dfe57c6a4ef4d2491be325d67428698a61d9c5d2a24dbada10043d313be2c8cc", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6bf9df34-044f-5584-8334-86f78fc57637", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976535Z", "creation_date": "2026-03-23T11:45:29.976537Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976542Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dcfab3c5f99c15cbb7df17c59914af551b90e0ed3c1dc040bad9927b12b67125", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6c0aeebe-57e3-5be2-8a83-0fbf2237a9c7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827998Z", "creation_date": "2026-03-23T11:45:31.828000Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828007Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "29568e4c63b1ce1fd0a6482e934139b02b999bdb46213483c36540897deddb1b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6c0f2bec-8887-537f-8953-617f3bd42033", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461752Z", "creation_date": "2026-03-23T11:45:30.461756Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461764Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8bdcf7457c2caf7fa0386571f972d7f5220d385ad686e2c3536f4c67ba4333e6", "comment": "Vulnerable Kernel Driver (aka mhyprotect.sys) [https://www.loldrivers.io/drivers/7abc873d-9c28-44c2-8f60-701a8e26af29/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6c33ceb3-337f-57e1-82ae-71ef8e6e9ecc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608474Z", "creation_date": "2026-03-23T11:45:29.608476Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608481Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3724b39e97936bb20ada51c6119aded04530ed86f6b8d6b45fbfb2f3b9a4114b", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6c35a0c6-43f3-5b4d-b34d-c7cc820afcc6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825836Z", "creation_date": "2026-03-23T11:45:31.825838Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825844Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "540c2a28f82a9f3b09b79c6d0adbccff9655645fcc93133840ac4abcb19ef643", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6c36919e-06a7-5eb1-99aa-81dfba1a696d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974540Z", "creation_date": "2026-03-23T11:45:29.974542Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974547Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "14cfe7b4f7572aa3434ac5dd458a35f286538b34734cf7a310fb7bcba209921c", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6c3db75b-5858-5815-ab91-6b1536bd4212", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145242Z", "creation_date": "2026-03-23T11:45:32.145244Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145249Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e060b051d0b8eca8490347f679e63391c792b6b37684e11301f4ed187173c3fd", "comment": "Vulnerable Kernel Driver (aka RtsPer.sys) [https://www.loldrivers.io/drivers/32155681-33e8-4d0d-b9f6-c822851e7321/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6c538976-3446-58d6-9aad-45374163ef6d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607748Z", "creation_date": "2026-03-23T11:45:29.607750Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607755Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9f1025601d17945c3a47026814bdec353ee363966e62dba7fe2673da5ce50def", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6c5a0c32-08da-54bf-a778-a2f3b476e2ea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819567Z", "creation_date": "2026-03-23T11:45:30.819569Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819575Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "16ae28284c09839900b99c0bdf6ce4ffcd7fe666cfd5cfb0d54a3ad9bea9aa9c", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6c63e9e1-8c23-5cee-8edb-04143c794a1a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143521Z", "creation_date": "2026-03-23T11:45:32.143524Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143529Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3af9c376d43321e813057ecd0403e71cafc3302139e2409ab41e254386c33ecb", "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6c746b78-8969-5498-af20-41eb156a995d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825364Z", "creation_date": "2026-03-23T11:45:31.825367Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825376Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "06480527d19a9f4976aeb5c1a6bd362618d472d2bc84032e50ff4f23187ff5dd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6c76c165-dd18-5f38-b09e-10c4aaddebff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467210Z", "creation_date": "2026-03-23T11:45:30.467213Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467222Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0cde416accd63c33ac9f4fd7bb6426c8bc3e6a18a335e9bbfea7cc767c30d3b6", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6c81e492-3627-5c81-85b5-d9ef245db970", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146226Z", "creation_date": "2026-03-23T11:45:32.146229Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146234Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b4f33ffef069c18e8a8834eb448dd1f1dbdaae93b140cfff5a1db015eb3ada2f", "comment": "Malicious Kernel Driver (aka driver_b4f33ffe.sys) [https://www.loldrivers.io/drivers/51a44484-8bcc-4150-8b94-4a755cff0af8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6c8880c7-69de-5f01-9a22-73e3bdb020d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467819Z", "creation_date": "2026-03-23T11:45:30.467823Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467832Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f43d0680cecea2db04d2f2eff7ff37a13beec280e62b76b9dbdc38d0e225fca", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6c8cab98-f1c2-5b65-aae6-b7318f2aa8d8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617289Z", "creation_date": "2026-03-23T11:45:29.617291Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617296Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ad40e6d0f77c0e579fb87c5106bf6de3d1a9f30ee2fbf8c9c011f377fa05f173", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6c8dd904-0551-5481-bad6-efb1f4b12ec6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817042Z", "creation_date": "2026-03-23T11:45:31.817044Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817050Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "268e8ab3593266b68e6ffde8b97ad4fe04eff0b10d737d4e9bccd6623d43f374", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6c92435a-63c7-529c-864f-dbf529ecbbc4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969488Z", "creation_date": "2026-03-23T11:45:29.969490Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969495Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5af59d6ca109b5cae3350b48b85274ce181e45be4c7f7156bdf58ca3ca7f4188", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6c92e144-b19e-5239-bd5d-95889bed4a68", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825494Z", "creation_date": "2026-03-23T11:45:31.825496Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825501Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f46c650e76a8e764cd4b4867c8baf9bbdbaae3be5c7b5d193ab3813fb59e0a57", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6c9cfd80-5407-5d71-aaa1-8ff7b6e29b9f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614215Z", "creation_date": "2026-03-23T11:45:29.614217Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614222Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "555ebe7901706dbf801b5dbda6660002d3b36e5c669ec98ccfc6884a7481c56e", "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6ca053e4-4c46-53d0-8f9a-ca1130043e55", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606935Z", "creation_date": "2026-03-23T11:45:29.606937Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606950Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b4f9272894f926d4f3b957fca673140a3a24dc896f1a49badaa1e04687b223cd", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6ca0ee17-6652-5a70-87b5-17024ccd354c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979602Z", "creation_date": "2026-03-23T11:45:29.979604Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979609Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e7e7824d611527b67fc36128da1b35d9b8ce3ffdab3fb96e3dbabd6e9c9570c0", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6ca924f3-1fa3-5ba0-a28d-e53b85d9ab62", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463839Z", "creation_date": "2026-03-23T11:45:30.463842Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463851Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bcca03ce1dd040e67eb71a7be0b75576316f0b6587b2058786fda8b6f0a5adfd", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6ca99354-fa3d-5e23-bce0-af4be1bd3496", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473242Z", "creation_date": "2026-03-23T11:45:30.473245Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473254Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "da617fe914a5f86dc9d657ef891bbbceb393c8a6fea2313c84923f3630255cdb", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6ca9b741-f1d4-5f9a-9bf7-4bb13f059716", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473236Z", "creation_date": "2026-03-23T11:45:31.473239Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473248Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9137c32623cd450511f60c6bb44e14ced32dc66de2bd5880ce9be18c40bee263", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6cb03078-0f43-50cb-af8e-35dee76744dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487908Z", "creation_date": "2026-03-23T11:45:31.487910Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487916Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2b49574345aac6924339f555e06ad0cb4ba8c36dca6403a6d9388174dcf76efd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6cb540bb-f386-56a4-a700-6c0292258494", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618925Z", "creation_date": "2026-03-23T11:45:29.618927Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618932Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "989e3234c1b61ea2db590cb170f79e25e9c9a6262b7b9a751ecfc6bf4468b8c4", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6cbb6b5c-18ca-52ad-ad7c-61f99d1dfd36", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159264Z", "creation_date": "2026-03-23T11:45:31.159266Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159272Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f1435428af7ccb2ae2fbe1e581f4ad7c38bfaa5367e9bbe29f9732f838a84500", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6cc7ec1e-58cd-57d3-9105-e395944ef424", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452461Z", "creation_date": "2026-03-23T11:45:30.452465Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452474Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "23be3616a4fb4e620f971e4348dc46b7980abca6463be3cb4b83769a955f2810", "comment": "Vulnerable Kernel Driver (aka Chaos-Rootkit.sys) [https://www.loldrivers.io/drivers/abcd2c10-1078-4cf9-b320-04ca38d22f98/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6cddd27c-2273-5e09-b052-dfeb5279592d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819673Z", "creation_date": "2026-03-23T11:45:30.819675Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819680Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "060d25126e45309414b380ee29f900840b689eae4217a8e621563f130c1d457f", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6cedc317-06d0-5f0d-90f8-b68f58eb38a7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832133Z", "creation_date": "2026-03-23T11:45:30.832135Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832141Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2749d7e7af1d4a0152ab690eaff93c17ffc587e203cec960a4e82eddee86147a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6cfca489-3930-5253-b47a-3f779247c35b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616860Z", "creation_date": "2026-03-23T11:45:29.616864Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616885Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9022cdd52aa3420757d5c16fe61a4fd4d538fe74981ddf3f29de00eb7a3be849", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6d0cbf53-cde9-501b-b716-1eec52f624b6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494169Z", "creation_date": "2026-03-23T11:45:31.494172Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494181Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b64faa54484770a73e4e87f633374b409904997fbcb47da8af94a7f081661519", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6d20b998-3850-5bb5-bf4a-9d9c7a8be162", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619018Z", "creation_date": "2026-03-23T11:45:29.619020Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619026Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab3fe6cbd9e3d70a64c5f3b186126cc38a04a624ceefc46afe4825f2001a3caa", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6d2c0441-4717-560a-a346-1d3e65715b25", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612198Z", "creation_date": "2026-03-23T11:45:29.612200Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612205Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aa717e9ab4d614497df19f602d289a6eddcdba8027c71bcc807780a219347d16", "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6d4049c5-6b9d-5196-a6ce-a26937a5c190", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817399Z", "creation_date": "2026-03-23T11:45:30.817401Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817407Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2381e9fc518488f51e3ec49d5ca4e59d10727d20678067ca147e50b0c4294f9a", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6d40b5b8-74bc-57c2-b973-563a0ede62e1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144521Z", "creation_date": "2026-03-23T11:45:32.144523Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144529Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4d8bc539ca7c72e552b7065d2a84fef43b75a46a53c82b50556c2984e0a86a9e", "comment": "Malicious Kernel Driver (aka driver_4d8bc539.sys) [https://www.loldrivers.io/drivers/e7fd8ffc-ab37-4a7b-8dc9-fc7432fbacae/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6d458b79-b71a-5b0f-965c-fcdb16621ee7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475060Z", "creation_date": "2026-03-23T11:45:31.475064Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475074Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "92a0fba8c1598f73e1021e5e4607a7cfab6ed1cef1056d2a1bcdec47dd55391d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6d465f08-a4f5-5e97-8fe8-058827ee4c6e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143150Z", "creation_date": "2026-03-23T11:45:32.143152Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143158Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4160dae22484062ccc3750cc9cac8f929d8701694160a3b508715610814aa28d", "comment": "Vulnerable Kernel Driver (aka echo_driver.sys) [https://www.loldrivers.io/drivers/afb8bb46-1d13-407d-9866-1daa7c82ca63/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6d4764b3-5c35-5b66-b82b-bca5f7c65c3e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145377Z", "creation_date": "2026-03-23T11:45:31.145379Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145384Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dcb2cd8c703f3b378be66a6a5f5283e9393a280df68a6b8f9d227c6aa8b92824", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6d69fe65-8b59-5e30-9de0-a7635a77ae83", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156021Z", "creation_date": "2026-03-23T11:45:31.156022Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156028Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "821401e4becfc52522485719c8f5375889e7d4281c6d76bdb76ccfa332e8a102", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6d874781-b2b2-56d9-a9a5-9efd07a1acd9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452942Z", "creation_date": "2026-03-23T11:45:30.452954Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452963Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6c5aef14613b8471f5f4fdeb9f25b5907c2335a4bc18b3c2266fb1ffd8f1741d", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6d9369f3-485c-5c87-b526-a40568e50bc1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974766Z", "creation_date": "2026-03-23T11:45:29.974768Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974774Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "45624a7469927b999cce153ff0074f675a8c062c5afa3f0c688b6124874ca27a", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6d95c489-0cc2-57f1-858a-c57a0e76f43c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606629Z", "creation_date": "2026-03-23T11:45:29.606631Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606636Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f0fb06748758082263e252050904f2fd8a29a77ae71dfdb390346bd2046ebfd4", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6d97e72c-1f6b-57b2-84d1-f6e068b79040", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823526Z", "creation_date": "2026-03-23T11:45:31.823529Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823538Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "316dab59da430edeb47e6d2a95e7f4a6cee385be96353340151a606e05b4d8cd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6da2bf15-5dfa-55d4-8d7e-e22051c03e66", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824189Z", "creation_date": "2026-03-23T11:45:31.824192Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824201Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c83986522ab62386c1568b4cd7ab597b72e6022bdbc63bb7a9fc634138c59467", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6da649c5-2a75-5528-8ca6-cafc8ba21aa7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834996Z", "creation_date": "2026-03-23T11:45:30.834999Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835009Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0b6af15d8afb49cecd9803a72ed7598b9cd4b2725a2df9e73decca0f7ddd9e81", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6da6ea9a-fc0c-526f-b061-075b7ccf4d62", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145094Z", "creation_date": "2026-03-23T11:45:32.145096Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145102Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9088392c38d6b8b7cbcc0959d51f0440f211b037408314b51d393b8aa83d44eb", "comment": "Malicious Kernel Driver (aka driver_ef9d653a.sys) [https://www.loldrivers.io/drivers/14e51012-5429-483e-9423-49778c3bd1c2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6dae4cd0-8504-5651-acbc-da9c361e0769", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453978Z", "creation_date": "2026-03-23T11:45:30.453981Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453990Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "497a836693be1b330993e2be64f6c71bf290c127faca1c056abd0dc374654830", "comment": "Malicious Kernel Driver (aka a236e7d654cd932b7d11cb604629a2d0.sys) [https://www.loldrivers.io/drivers/2866bd72-a4b1-4764-a838-9ed0790c2631/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6dc453fd-fd35-5583-8d13-4ee8acb8699e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611359Z", "creation_date": "2026-03-23T11:45:29.611361Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611366Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "abf635a246752555868f203a565ead519c9ada06ea007545a47bf352678c342a", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6dcd1acb-cb65-5f6d-9d99-d3bc6bd6a1f5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464912Z", "creation_date": "2026-03-23T11:45:30.464915Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464923Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "62036cdf3663097534adf3252b921eed06b73c2562655eae36b126c7d3d83266", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6dcd538a-587d-527f-8a3a-21829db2b0bb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819394Z", "creation_date": "2026-03-23T11:45:30.819396Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819401Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d2da77e10d2fd2b8b2aa68ab4af1483ef270311c846644e0ec61ace146ee6feb", "comment": "Vulnerable Kernel Driver (aka VdBSv64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6dd41b7f-04af-5749-bb5b-4d2f6c5e8f41", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978135Z", "creation_date": "2026-03-23T11:45:29.978137Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978143Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "749b0e8c8c8b7dda8c2063c708047cfe95afa0a4d86886b31a12f3018396e67c", "comment": "Malicious Kernel Driver (aka 0x3040_blacklotus_beta_driver.sys) [https://www.loldrivers.io/drivers/8750b245-af35-4bc6-9af3-dc858f9db64f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6dd4a3c5-140b-5d17-a24d-fd64ee2e0520", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835295Z", "creation_date": "2026-03-23T11:45:30.835298Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835307Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6a907bd5cddfab8ee41a02f6ad9ba6c6848bd9c1017611435f0867b2e236a07b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6df6947b-6884-599d-a679-8e99d41f1d64", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968004Z", "creation_date": "2026-03-23T11:45:29.968006Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968012Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f5e3d33c824f9f03d038b4f1a376b15cc5f1694aef086bd17c516ad951fc45a", "comment": "Projector Rootkit malicious drivers (aka KB_VRX_deviced.sys) [https://twitter.com/struppigel/status/1551503748601729025] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6e085625-9299-5c1f-b73a-32e977660209", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146778Z", "creation_date": "2026-03-23T11:45:31.146779Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146785Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "54d5272af19864d81cd4902d76a651510c7d58295e5f4fb2f8053ebe499982dd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6e0da02f-47bb-5feb-b522-3b11714163d7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153489Z", "creation_date": "2026-03-23T11:45:31.153491Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153496Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "51fcbd96e216fb82900db6ea5046a89cec680c8965f0d9a26e1aedf71acbf8eb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6e17fc26-e435-5bc8-9f39-99be4e3ebaf6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973357Z", "creation_date": "2026-03-23T11:45:29.973359Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973365Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fabe94809d90ade89dad012b22243e3fb755a131800140f8f8b30c989c371301", "comment": "Voicemod Sociedad Limitada vulnerable driver (aka vmdrv.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6e26a745-2dd2-5fa6-8655-b3ea3b7f88b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153701Z", "creation_date": "2026-03-23T11:45:31.153703Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153708Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "28e471f0741ecac18102c0a407310d53cf0e962965adaafa53123b9bf349fe5e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6e2710d7-b12f-51d8-b333-db37338c9f71", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155154Z", "creation_date": "2026-03-23T11:45:31.155156Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155161Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f55e87dc3ccf449c3df04a227b3c38f0ab151563904ec75faf09a9e6ad81b69", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6e346ae4-4915-574b-9971-1aed1c11c946", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827586Z", "creation_date": "2026-03-23T11:45:31.827588Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827593Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1508b3bcd0368bc487e0af59f88148f2e5a16685d1ca05d5aa0d9aa982999493", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6e4d6306-3ea4-5396-b5a1-97895f1bc71d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154978Z", "creation_date": "2026-03-23T11:45:31.154980Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154986Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8970d3c8889a4f6d7bb6228d331f0f30de2a7f6a287b37d23a20cd12d36eb728", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6e64165c-5713-53f9-8c1c-537b25014d5a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823536Z", "creation_date": "2026-03-23T11:45:30.823538Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823544Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "852d83d1cb676d150286edb1eccc7dba4c5acc06027361f96721a0a75f1a7884", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6e675e6c-80b2-57f4-9d94-7db2e39d9d0e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823644Z", "creation_date": "2026-03-23T11:45:30.823647Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823652Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "456216f68ea370a72c5a4994b64809114edad1357cea269af57b96b44923a484", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6e75b3b5-c905-5cd5-b67d-d0b91e2eb598", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472980Z", "creation_date": "2026-03-23T11:45:30.472983Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472992Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "53bd8e8d3542fcf02d09c34282ebf97aee9515ee6b9a01cefd81baa45c6fd3d6", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6e81b540-f4fe-5c58-b988-c69ab84fbde5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980271Z", "creation_date": "2026-03-23T11:45:29.980273Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980279Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9eba5d1545fdbf37cf053ac3f3ba45bcb651b8abb7805cbfdfb5f91ea294fb95", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6e96b5c3-e155-5b2b-bd3a-0ce0eb7cc6e8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487080Z", "creation_date": "2026-03-23T11:45:31.487083Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487092Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "44d76b4ee4e9a0ad0eb3c40fc6ae66d91c33155da86b5f15a6ebd9564cf30130", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6e9ce2a7-c644-5130-9db4-b0d56ee11bf7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151754Z", "creation_date": "2026-03-23T11:45:31.151757Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151764Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "baa6847981a0c77a1c657431167a43ebcfd0ffe32ddf8379f6a65315c34a549d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6e9e3066-2f4b-5fad-b9e4-2e8a0cd60ab5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489040Z", "creation_date": "2026-03-23T11:45:31.489042Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489047Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a36482e8713d29d620b8b759812324d74fa63ce221ff518f807f3f3db569b3d7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6e9e5995-7311-57d2-b4c6-b18b5e1b8fad", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976800Z", "creation_date": "2026-03-23T11:45:29.976802Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976808Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0c8a373fff42c69f51cc4ae12295df8b75e7e29fd4956dbc3582bf284b883ddc", "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6edd5a8a-4119-5801-b4db-40292f8839d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827975Z", "creation_date": "2026-03-23T11:45:30.827978Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827983Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd72a998f433f807dc5ee331a52286717f787f6c5c9e22491f8bd685e0da2f66", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6ef08fe4-c3ab-5896-a9b1-a2fda92ab558", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464202Z", "creation_date": "2026-03-23T11:45:30.464215Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464229Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c4c9c84b211899ceb0d18a839afa497537a7c7c01ab481965a09788a9e16590c", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6efc3165-2e4f-56e2-8964-a9876ad1855f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479650Z", "creation_date": "2026-03-23T11:45:30.479651Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479657Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4a367f9af0d4995eafb7bbdb4fa60eee88e470f7192276d3d66afc58f75013e1", "comment": "Malicious Kernel Driver (aka be6318413160e589080df02bb3ca6e6a.sys) [https://www.loldrivers.io/drivers/a9ab4412-d484-459b-be97-5975f5ab8094/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6efe81ff-6906-5491-b055-b2775cb049a0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815069Z", "creation_date": "2026-03-23T11:45:31.815072Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815081Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "12a4df784e6e897c36a4d074175c39d03c9ba5cd5ca37f27f50b70b7ab6b43a6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f208011-1eda-526c-8dae-a818d0881f57", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500230Z", "creation_date": "2026-03-23T11:45:31.500233Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500241Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "975092496ce4f4c728aab097f43433ce212e947e69e87f04391f6d9ab38d3a85", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f295f21-f9f8-5b86-86f3-6bfa096432bd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459356Z", "creation_date": "2026-03-23T11:45:30.459359Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459368Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6703400b490b35bcde6e41ce1640920251855e6d94171170ae7ea22cdd0938c0", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f2e735d-1e9f-5c96-9e6e-38231136ea15", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967381Z", "creation_date": "2026-03-23T11:45:29.967383Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967389Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9804787b31e0025dd2ae9344ca1beae2e701cdf8fd77a60f424295dc9280dc89", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f2ef343-e9c8-51aa-8b2d-f3525e6c9c6f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149282Z", "creation_date": "2026-03-23T11:45:31.149284Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149290Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ecf7fef0a3e19f21730760600c6fa887466ccc39f1e2dde96cada2f2e02f65d7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f313f3a-8bc2-5d1b-80ba-59a4c92405c3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469600Z", "creation_date": "2026-03-23T11:45:30.469603Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469612Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f424562623d0edf9b506a5f65b23427e7ec9a476570646d2a08ae9fa9fc57305", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f3853ea-c3ce-5a8d-8185-eaf4ddf94530", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829861Z", "creation_date": "2026-03-23T11:45:31.829863Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829883Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "825578c10c86e4aeb9dd971df6e87becbcf3566350aedd9d296a57b9647f78e1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f3c19fd-5299-5558-993e-fcc94120d591", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141698Z", "creation_date": "2026-03-23T11:45:31.141700Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141706Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "65a1610e10217ccbe221fa54dd8403b632267bd82326460c918faeb5bb960058", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f3ee1eb-525c-53b8-b1cd-7c98b06564db", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487254Z", "creation_date": "2026-03-23T11:45:31.487256Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487262Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "afd5b0e98eacebd6ee17cb1fc7039c07651a5c218524e2714434806fe00e4263", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f400690-869a-5d92-b551-3b8aaf2b8c32", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604907Z", "creation_date": "2026-03-23T11:45:29.604909Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604914Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "96a5d22ea53ee40f15528f4c19cac0b121a89b65e5c70488819c2fcd7c95d24c", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f4561ad-ea5f-54f3-a8c1-8046e0b552ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473601Z", "creation_date": "2026-03-23T11:45:30.473604Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473613Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "67b4d4995c9a054e90af05d7e04baf39759c478a519a3c729cbf6ffb041ae7cb", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f4a1f5d-482e-5cfb-b96f-d16f6a3098b6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159900Z", "creation_date": "2026-03-23T11:45:31.159903Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159912Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "32e30d7996c58ff8a86d6da9305b3f33efd0635d3fee2b038e71ef0e8240ea62", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f4beae0-9bca-54ea-8991-88c830476179", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978318Z", "creation_date": "2026-03-23T11:45:29.978320Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978326Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce", "comment": "Malicious Kernel Driver (aka wantd_4.sys) [https://www.loldrivers.io/drivers/72637cb1-5ca2-4ad0-a5df-20da17b231b5/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f5d4374-cf12-54d8-a471-e3794bf03308", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832352Z", "creation_date": "2026-03-23T11:45:30.832354Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832359Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19fe9e32765d6e3f4b9950d5a04970ffd65845a3eda96aacf2378c0ec401d664", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f66f970-5cbd-543c-b0e3-78b73ce09a22", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983851Z", "creation_date": "2026-03-23T11:45:29.983854Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983862Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47dba240967fd0088be618163672dfbddf0138178cccd45b54037f622b221220", "comment": "Vulnerable Kernel Driver (aka GLCKIO2.sys) [https://www.loldrivers.io/drivers/52ded752-2708-499e-8f37-98e4a9adc23c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f685ca9-67c4-510f-947e-9eeaa43068a9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492592Z", "creation_date": "2026-03-23T11:45:31.492594Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492599Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e32bca5cfb81aad5d03aece6d63089c804460e9e8a4e7d8fbd536022542d3ea9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f6cc55d-f3ff-575d-9bd2-28bcc1752717", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618373Z", "creation_date": "2026-03-23T11:45:29.618375Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618380Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f2a4ddc38e68efd2eac27b2562529926f5ade93575a82e8d3e0abb2b37347257", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f6de817-e32d-585c-a3cd-090197be81a0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464397Z", "creation_date": "2026-03-23T11:45:30.464400Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464408Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "618b15970671700188f4102e5d0638184e2723e8f57f7e917fa49792daebdadb", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f6f724b-4d8b-5dbb-976d-006ff9d85b44", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475092Z", "creation_date": "2026-03-23T11:45:31.475096Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475106Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "413d1f175419d5fbda10ba5c013c33b6efe1ba8b762569e9a1e807dfdf7c95e1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f7d33ab-5e24-5a43-80d5-7af7e93da031", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821411Z", "creation_date": "2026-03-23T11:45:31.821413Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821418Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0bf7a1cb69e0d19175fad6aaf6ca07d429f06a6decc636ad221bd72e78ca36f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f7d3b82-c47c-50a1-8c68-386690484bff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148485Z", "creation_date": "2026-03-23T11:45:31.148487Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148493Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7b154b1a86b758c420b19946aba1773fbe02f74fe9f37ce273408465e14ec99f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f7fbff8-dae0-529e-a3f4-428258416740", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156432Z", "creation_date": "2026-03-23T11:45:31.156434Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156439Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6ce80f5eadb5ad84daa4fb31691fd23799a3aed88ab9f4485a35524ec9119c9e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f8038e8-ad84-577e-a437-7e1bce149459", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829631Z", "creation_date": "2026-03-23T11:45:30.829639Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829652Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "338c3f1c416ed3bd38103c35ea76b8ca9e79c903cf00c72c15794c185032de28", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f960064-4aa2-5823-9954-12e522acc763", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821385Z", "creation_date": "2026-03-23T11:45:30.821388Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821397Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7553c76b006bd2c75af4e4ee00a02279d3f1f5d691e7dbdc955eac46fd3614c3", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6f99187b-0598-56fb-bfea-a910282ba4e0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607900Z", "creation_date": "2026-03-23T11:45:29.607902Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607908Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f37d609ea1f06660d970415dd3916c4c153bb5940bf7d2beb47fa34e8a8ffbfc", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6fb9ec09-20ab-5b14-9a3a-3f7b6fc9c5cd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979274Z", "creation_date": "2026-03-23T11:45:29.979276Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979281Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c1c4310e5d467d24e864177bdbfc57cb5d29aac697481bfa9c11ddbeebfd4cc8", "comment": "Vulnerable Kernel Driver (aka d.sys) [https://www.loldrivers.io/drivers/7a7630d6-d007-4d84-a17d-81236d9693e1/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6fc33a70-602c-593d-8d12-c9913cdbcc7f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465568Z", "creation_date": "2026-03-23T11:45:30.465571Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465580Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e99580e25f419b5ad90669e0c274cf63d30efa08065d064a863e655bdf77fb59", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6fc68786-6956-5406-938b-eb255074a7e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464571Z", "creation_date": "2026-03-23T11:45:30.464574Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464582Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d41e39215c2c1286e4cd3b1dc0948adefb161f22bc3a78756a027d41614ee4ff", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6fe26f27-6596-5e84-bd9c-1dc373053acc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827272Z", "creation_date": "2026-03-23T11:45:30.827275Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827280Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "93961c2756dc824d1d11867c294445cc18ac611082536bbe5112c7e8827da329", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6fe2ff09-7355-57e3-8c58-c4944d696fa4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607961Z", "creation_date": "2026-03-23T11:45:29.607963Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607969Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff8d17761c1645bdd1f0eccc69024907bbbfbe5c60679402b7d02f95b16310fe", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6fe63fa7-402d-50cd-b30c-384873b9c53e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464883Z", "creation_date": "2026-03-23T11:45:30.464887Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464896Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0d676baac43d9e2d05b577d5e0c516fba250391ab0cb11232a4b17fd97a51e35", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6fec57bd-0b69-5721-b703-bdbdf7a78ddf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614857Z", "creation_date": "2026-03-23T11:45:29.614858Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614864Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cc586254e9e89e88334adee44e332166119307e79c2f18f6c2ab90ce8ba7fc9b", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6fecbb49-a0a4-5955-b328-2e663b1235a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.986031Z", "creation_date": "2026-03-23T11:45:29.986033Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.986039Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c9fbff8b749a1f580b5b5b9e59ec3ffd769b4179970b82e32a3d36e7a3a8cb1a", "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "6ff8a788-0f4b-519f-91ef-b1218ef5d3d1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615380Z", "creation_date": "2026-03-23T11:45:29.615382Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615387Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "809403706c3669a0d67bd35a87f66714989d1bc66e2aa6ca5979781ae3c4fdb0", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7008cc84-d4e2-59ec-99b2-f4085821cad1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485936Z", "creation_date": "2026-03-23T11:45:31.485940Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485960Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a3e4562b565b106fe859f06622c2674f44ef5bb41c5144583285a408d0870e51", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "700b3063-0b49-5f4c-aafc-bb2782aa5516", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471941Z", "creation_date": "2026-03-23T11:45:30.471969Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471979Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fb1183ef22ecbcc28f9c0a351c2c0280f1312a0fdf8a9983161691e2585efc70", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "700f6c07-750b-566b-b302-c5bb9de43933", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146928Z", "creation_date": "2026-03-23T11:45:31.146930Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146936Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "95080c8ed5594235dbf86ab99a1f4fd22edeccecfe41241472db3975f2b7fa75", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "701e52f5-f2c5-54c6-a466-b22bfd947793", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140229Z", "creation_date": "2026-03-23T11:45:31.140231Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140236Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "acea5013470978ce0b3d41c4204d0fdd3d5fd3f28cc3ecad11b33e01fc1bc1be", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "702608f7-0986-5a30-bdf0-432338f19434", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812889Z", "creation_date": "2026-03-23T11:45:31.812891Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812896Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ec71df85d1b89a3e7f3f9bcaf793e19ed6aca96f84c99470d0684e1004bfa345", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "702d1381-28b6-5782-a591-f463c771957a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981764Z", "creation_date": "2026-03-23T11:45:29.981766Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981771Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "15b081ec83a89182b5bb0a642d56513f40810b5b0a42e904ab6d3fa8f34c0446", "comment": "Malicious Kernel Driver (aka daxin_blank4.sys) [https://www.loldrivers.io/drivers/f8bddc8b-49b9-41f7-a877-d15ec3f174f9/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "703850d4-8c21-5a7c-a151-07e840e86676", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488327Z", "creation_date": "2026-03-23T11:45:31.488329Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488334Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "66616748bb5b41179385a9c4d1498a0b88fa38ab41f7de83df2995795f739902", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "70389757-51d5-5512-9844-8954af94f750", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141380Z", "creation_date": "2026-03-23T11:45:31.141382Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141388Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "441cc113a5ecaea7af80c9ed97fc8e93ea6ffc4c61b617f48ef85bb7ce94b168", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7057406b-d010-5e88-ba7d-0eb9023d6da1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974522Z", "creation_date": "2026-03-23T11:45:29.974524Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974530Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e37c0e580bf6f0514af985b1581fef3d66b845aeefa790c625964512a911659", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "705fe14d-0504-5ebb-81c2-4c00c96589de", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823677Z", "creation_date": "2026-03-23T11:45:31.823679Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823685Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "13c3c6880f501557d1fee13215167db7afa1bc65b62f242010ad828885f8dd0f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "70600820-a0f2-5286-b192-592f4049227e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499431Z", "creation_date": "2026-03-23T11:45:31.499434Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499443Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8073039514143cc1863f7bd4488c7433b115f5cb1240311fb412313493143128", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "706d9f5b-4362-5eec-ad84-2a9e0095b466", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618460Z", "creation_date": "2026-03-23T11:45:29.618462Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618468Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ffd1aef19646ffed09b56a2ace4fc8cdf5b2f714fcca1e7ffb82256264c94b18", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "707bbba4-e3a9-59d0-81c4-db1a37925fb1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143200Z", "creation_date": "2026-03-23T11:45:31.143202Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143208Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "13f39c57ce0cee25ed6889a045bbfad1fca4de361ea8ed19e3a3af9b234b9781", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "707f98a3-10dc-5f99-8a00-460b93a596f1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615345Z", "creation_date": "2026-03-23T11:45:29.615347Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615352Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a6bf32fafa57bcbb84b06db0d7d28e4b1457ead69c33fa883d5abe84ecd91b51", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "708e4cad-ce8a-595d-bc1e-ad904649beaf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972038Z", "creation_date": "2026-03-23T11:45:29.972040Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972045Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a566af57d88f37fa033e64b1d8abbd3ffdacaba260475fbbc8dab846a824eff5", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "70914d32-e1fd-5ab6-b043-fa1a9ee6e269", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983649Z", "creation_date": "2026-03-23T11:45:29.983651Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983657Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "09043c51719d4bf6405c9a7a292bb9bb3bcc782f639b708ddcc4eedb5e5c9ce9", "comment": "Vulnerable Kernel Driver (aka amigendrv64.sys) [https://www.loldrivers.io/drivers/5c45ae9e-cb6f-4eab-a070-b0187202e080/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7099faa7-5d88-5a2f-ab1c-411f4d0afa68", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152210Z", "creation_date": "2026-03-23T11:45:31.152212Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152220Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c267cfb40ffc24533cbfde1f1f457948f1d07de9eafc24b27db8df1af71a7f79", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "70a1889f-80f7-5b0a-9eab-2d3abfffbe92", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834609Z", "creation_date": "2026-03-23T11:45:30.834612Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834621Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ec7ae3b91784e5d5a57ec6e9e89b66a18c6274b559c8d4890037f7e0651664b3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "70a71990-6094-5dc1-99fd-efcba9885d3f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618219Z", "creation_date": "2026-03-23T11:45:29.618221Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618227Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9155470dc24449977d1be15a116b08705dd4c113a2eb4ab19a6000749ff4b100", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "70ab1e16-e316-5a18-b8c0-83afd3077077", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985996Z", "creation_date": "2026-03-23T11:45:29.985998Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.986004Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f929b77636026cc0c57a0bd95e4c61f0b28a65e60331807e32235947f5c67931", "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "70ad899c-c853-5a9c-8211-17df2dfd4c61", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607258Z", "creation_date": "2026-03-23T11:45:29.607260Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607265Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "70b6c5ff-10e2-50b6-9e3b-2cebafff18de", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155276Z", "creation_date": "2026-03-23T11:45:31.155278Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155283Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1287885c5c87886fcae9bd18ff9a82c0231451315f16f7ec1a8111673127161c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "70c3f0ab-9bb0-59b6-af08-61bcba69338b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825628Z", "creation_date": "2026-03-23T11:45:31.825630Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825636Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "826267a0c3f7fe9aee8242accbf5563560988137702eb6dd8a14bf66790447cc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "70cd4617-678e-5297-8502-f918ed8e744a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613442Z", "creation_date": "2026-03-23T11:45:29.613444Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613450Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fee4560f2160a951d83344857eb4587ab10c1cfd8c5cfc23b6f06bef8ebcd984", "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "70d4d297-8723-5420-9b23-963fb7396391", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813947Z", "creation_date": "2026-03-23T11:45:31.813960Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813969Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "60da0e6b6127b7298f24da50ea4f028f260a629efde08d6926180ee1a7466639", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "70d7c968-5cea-5cc6-bca5-a5327bc47b82", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611201Z", "creation_date": "2026-03-23T11:45:29.611203Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611208Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "313a69d8eea6a933cffac0fa67d46ad9aef0815bb579fce7623d9be825888e30", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "70e87570-d502-5f55-8b99-1bbd06c1c9c1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474274Z", "creation_date": "2026-03-23T11:45:30.474277Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474286Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f291f251d8ffc6c6c2f69b62e8d1153bdb83f54cf60ef9a4c6235db87bfb2c1a", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "70e8e1af-9c87-5ebe-abdb-bfea8348e5eb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808339Z", "creation_date": "2026-03-23T11:45:31.808341Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808347Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6a95ec5a6bd3798a928eff37d2657cb948542d9156d0ecce05c4083f5e2b62f9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "70f067cd-c15a-5147-8d38-9791c5ba0ff7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500469Z", "creation_date": "2026-03-23T11:45:31.500472Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500480Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2fdc8c7638c8d9bff60603f4c659c18916d25810c34f953d663a2dfd16fb5392", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "70f120b3-746a-5b48-88e3-8449db36ce1c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826025Z", "creation_date": "2026-03-23T11:45:30.826028Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826035Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e0956447f87a96b886c728a621eee105ade5ffd1bdb1583171f0c74a0c5b0e56", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "712074ef-379a-51b6-8e2c-1c74c9bc6ab7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619354Z", "creation_date": "2026-03-23T11:45:29.619356Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619362Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "916c535957a3b8cbf3336b63b2260ea4055163a9e6b214f2a7005d6d36a4a677", "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7120fac4-2366-5d19-b9df-3f2aa234b839", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970383Z", "creation_date": "2026-03-23T11:45:29.970385Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970390Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "274ca13168b38590c230bddc2d606bbe8c26de8a6d79156a6c7d07265efe0fdf", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "71293ec7-8f9a-5cd3-81b1-529338fad8b1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819970Z", "creation_date": "2026-03-23T11:45:31.819974Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819983Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d96fb94a4c4fc4bb0a79270c4ea070b3204c4ee9979be2d69439d879b3b85e19", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "71337250-7b58-51f3-9813-6ccdb1571a70", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982573Z", "creation_date": "2026-03-23T11:45:29.982575Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982580Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51", "comment": "Malicious Kernel Driver (aka daxin_blank5.sys) [https://www.loldrivers.io/drivers/0590655c-baa2-481a-b909-463534bd7a5e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "713fabed-fea3-5fe3-9330-c59582fc2528", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141310Z", "creation_date": "2026-03-23T11:45:31.141312Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141317Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "35b9c645469bdef383d63083d98bb947e3a1deab699d7984b86c1fe457ad260a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7142818b-a8e6-5562-8e06-e2092da083de", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984458Z", "creation_date": "2026-03-23T11:45:29.984460Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984465Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d61ce5874adb89b4e992df8df879b568d9c4136df568718a768cd807d789a726", "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "71433f41-7133-5920-93d9-f85f7f8986b6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155049Z", "creation_date": "2026-03-23T11:45:31.155051Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155056Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c0c8aea44644c2488ee1a9ddce05f183e47d3b6edee56697b0e127582cead55", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7152878d-f71b-586f-97c5-5985a187cdfe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474682Z", "creation_date": "2026-03-23T11:45:30.474686Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474695Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c9534f81749245346003690ecd5bdbd0a2b7011fa402c4984477ee7b4f80ca95", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "71579d9d-aff0-5289-9136-5f691ea3300a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605022Z", "creation_date": "2026-03-23T11:45:29.605024Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605032Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "62366c3a767c60984c67e58b8f57ca3ecce6eaa11006de8be318f074ecc350fd", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "715a3ee9-1d54-568f-b3a1-e697a3c7e889", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982677Z", "creation_date": "2026-03-23T11:45:29.982679Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982685Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "27cd05527feb020084a4a76579c125458571da8843cdfc3733211760a11da970", "comment": "Vulnerable Kernel Driver (aka AsrSetupDrv103.sys) [https://www.loldrivers.io/drivers/19003e00-d42d-4cbe-91f3-756451bdd7da/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "715d09d9-b01f-564b-8051-e0905c869279", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826461Z", "creation_date": "2026-03-23T11:45:30.826463Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826468Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "57876e89166558bb3f3aafb64347881e5d1e153b7d3bdfac492596839062fcec", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "71650996-ed68-52c2-b62d-3a534585d291", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487702Z", "creation_date": "2026-03-23T11:45:31.487703Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487709Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4b1186d61e569091aa1c1e37ab78ead35bc3d568e9ada3f4a3f806a995ab94c6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "717c8640-0b98-5998-b9f6-5c76aa1c5cda", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829041Z", "creation_date": "2026-03-23T11:45:31.829043Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829051Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ccd3a7e948d34b5db6da27a98055e65e7c161f3c2e0a534fd114a0f080b84370", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "717cb000-9542-5749-876a-0c0a92b50f07", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604264Z", "creation_date": "2026-03-23T11:45:29.604266Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604271Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fb467e8c9edf1ac9ddabbc666cd48fc37b05e9d9390bb347504c899e15bce4d8", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "718256fb-b908-55df-a66e-52ba6e2e0552", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143808Z", "creation_date": "2026-03-23T11:45:31.143810Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143815Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f31fc480082ce2c9a5fde79fc84fda30869ed9a489d5a8984a4b8515f797cb11", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7194fbfa-9525-53f0-9a8f-6ed02003d6f0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985121Z", "creation_date": "2026-03-23T11:45:29.985125Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985134Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d50ee14181cf60bbdffe1a891b9bb3a852c93019f1f05dde47b3178b821b8f54", "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "719cac79-9f5b-5767-b078-6705eb5cfa10", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159553Z", "creation_date": "2026-03-23T11:45:31.159555Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159560Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "80d2a78390a8036400f0e67b51da1642bff09088e3578d3debe80b70859da088", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "719e319d-d4a2-5348-b9fc-7b051fbf2a7b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146150Z", "creation_date": "2026-03-23T11:45:31.146152Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146158Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c2a21728cff35609180283bdcb4872290f3659187bdcf3ea4086fc11c68546d1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "71a110fe-9d7c-5f78-8ad8-47bcebb393f8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979636Z", "creation_date": "2026-03-23T11:45:29.979637Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979643Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "28d3a5a85eef4561c4ad08fd83aca4f7a946f8dca8bfb7958a855a80197f68a6", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "71aadc78-b29a-58fb-b4eb-22af8f917010", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610759Z", "creation_date": "2026-03-23T11:45:29.610761Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610767Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c3e150eb7e7292f70299d3054ed429156a4c32b1f7466a706a2b99249022979e", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "71ae193b-da8c-532b-94db-48a8e671a758", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977782Z", "creation_date": "2026-03-23T11:45:29.977784Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977789Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0892c3facb931521bbe87b31d836d376b169198c2550baaf444df742e85d0846", "comment": "Vulnerable Kernel Driver (aka NetProxyDriver.sys) [https://www.loldrivers.io/drivers/c1ece07b-e92a-4050-95ee-90e03aa82120/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "71b4ca0a-b181-53f2-9603-a9df87666c17", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140190Z", "creation_date": "2026-03-23T11:45:31.140192Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140198Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "29bf8f226cd4e048eef081546c4f0fd81ab77dbb54cc75e2c76effe93cb62919", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "71b6e02f-949f-52ab-9536-62bc69d03743", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618075Z", "creation_date": "2026-03-23T11:45:29.618077Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618085Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "50aa2b3a762abb1306fa003c60de3c78e89ea5d29aab8a9c6479792d2be3c2d7", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "71b97a78-e69b-5abd-b3e0-c2c8555fc9a2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482727Z", "creation_date": "2026-03-23T11:45:31.482731Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482741Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0acef0a19973a7853d09e83a32e745cd38d4dcb88564e7575d783c0c13cfd7f9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "71e13771-07d2-5a60-9097-94c939d8260c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829863Z", "creation_date": "2026-03-23T11:45:30.829865Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829887Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "20dbc1837e8b10bb35b582167918dd5818026c06a9b4187405925d42eea669ee", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "71e27892-3104-5e0a-ac6f-d98226e0277b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479732Z", "creation_date": "2026-03-23T11:45:31.479736Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479746Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "843990c940711a684d360087216592cddf51742c21a134e6fe309eb49032da53", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "71e5040a-f34d-5be9-960b-6cf164bce658", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155805Z", "creation_date": "2026-03-23T11:45:31.155807Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155813Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0eb2b056075631ee5d4765beb21802a883ece09aa43e9475dd6435f0b7a5ebec", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "71f45c13-ecca-59be-9a27-644f05fe2555", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831074Z", "creation_date": "2026-03-23T11:45:30.831076Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831081Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cdf0d7a896541d9711a4361edb602ca050d769fd5f0b0ef87a50a2962b616a6b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "720280d9-a0dc-5f08-ba71-22e1e076dffe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812081Z", "creation_date": "2026-03-23T11:45:31.812083Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812088Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "575dab49b1edb95a6cb08375428806b262796e5b54517cda608844bc4021571e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "720318e1-5d38-5cf9-a79f-649efecec71f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616988Z", "creation_date": "2026-03-23T11:45:29.616990Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616996Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ee914c20b3e4a321bcd2ea2f0f437cda6da09dc0819cd6f06960c0567f4cb19", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "72297edc-c90d-5e63-9075-095b98b7d967", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819226Z", "creation_date": "2026-03-23T11:45:30.819228Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819233Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "77aabfc119686757d31cc9d21af9bf3bacecaae09dc92e548355a145db0aa774", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "722abf29-350f-5aec-aae7-d637fbdf1a3d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619422Z", "creation_date": "2026-03-23T11:45:29.619424Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619429Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "64d060216cf55210f595609487b708d5e70e0706a8de0827369bf58898205f34", "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "722cf7bf-5fdc-5090-a8b2-94b6d6b2815e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982765Z", "creation_date": "2026-03-23T11:45:29.982767Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982773Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f90d9c4d259c1fde4c7bb66a95d71ea0122e4dfb75883a6cb17b5c80ce6d18a", "comment": "Vulnerable Kernel Driver (aka d3.sys) [https://www.loldrivers.io/drivers/13b2424a-d337-4bc7-ad1d-2049c79906b4/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7233b28c-2592-527a-b88e-a25c7e92e4da", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831713Z", "creation_date": "2026-03-23T11:45:30.831715Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831720Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7cd32d0dcff4f90f0748d657ce5ac439605d30fadde084715479c3c3301552a0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7234d27d-d3f6-500c-954b-06eeee243033", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832022Z", "creation_date": "2026-03-23T11:45:30.832024Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832030Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5a195eb7e92b9aadaf6a3d56267d60acd9dd7f1bab14c3359d2c7ac84ff26afb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7237a396-cff4-55c2-85e8-da29c1d2165c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608848Z", "creation_date": "2026-03-23T11:45:29.608850Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608855Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c62bf9d0cc1edfffc15f3f002cd7f51efe3372320ec89d9dc96011000915c186", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "723ea7f7-c4c3-59ea-9bfc-fe24a5456507", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819135Z", "creation_date": "2026-03-23T11:45:31.819138Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819143Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "519b16721301d8d48f85be37a8710735d686ed128aaacaf0ca0599dfd4d4466c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7240064e-aada-52f4-b1f8-23446c613cad", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617132Z", "creation_date": "2026-03-23T11:45:29.617134Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617139Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7e8e7bc080b4c32ce703b3e8b3cc7e13fa9ef2422dc6f370a2c2b82496564aae", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "724b8135-c813-5c7a-9ee8-444dadbbe9a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489452Z", "creation_date": "2026-03-23T11:45:31.489455Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489463Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8e24bdf488308df21bcff4c381d235b536e34545bfe4e005bdff58b67622b7de", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "724d73f9-d673-5b10-a84d-d3afcc9416d9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491271Z", "creation_date": "2026-03-23T11:45:31.491274Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491282Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "afc3e6f78dec5a0763e5b24bbcadc00f11d602c92460536d00cbb5cef8fc441f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "724ee48e-a0c8-56dd-b4ff-8dca7aca1e28", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457012Z", "creation_date": "2026-03-23T11:45:30.457015Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457024Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a298cc166fe3bac9e9e4cae967f8e3bb41b08a6a97117ca4f8e5c4f198dbcffa", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "724f12ac-88fc-5a7e-b859-ad34b5d8cabe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153858Z", "creation_date": "2026-03-23T11:45:31.153860Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153865Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e502b63c5fac48bca6fc42c02aecf126310ddb318950222fe37402c0ec3ae15c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "725edd8d-7a53-5d46-b574-cb7ddfdbf9c1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148555Z", "creation_date": "2026-03-23T11:45:31.148557Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148562Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a7a61e11e82a08261b9816fefbeadc3b3253596a2a5e13d3cf6b521431245d3a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "726678cf-a8df-5f40-affe-ea4fc8030dea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477891Z", "creation_date": "2026-03-23T11:45:30.477895Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477904Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "32d6b047b0489421f7983da7d5d11f8deb2a56935d5ae0ae23cca1c0903ecad5", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "72741d26-8907-5c09-8834-91f03916f3ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469776Z", "creation_date": "2026-03-23T11:45:30.469780Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469789Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d73996901d2bfac9999a55723cb57ef5bde1e9a73070979df69f1f1fa8782c1", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "727463a2-1edc-504a-8bb8-e3d8be8f7c7a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462519Z", "creation_date": "2026-03-23T11:45:30.462522Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462531Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "be25688313f29d7e62c996572825c33f3dcdda373ec235efe552aeb2219990bb", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7276a919-f948-5c59-aa57-d17d1f6bf5fe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473154Z", "creation_date": "2026-03-23T11:45:30.473158Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473167Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "11a4b08e70ebc25a1d4c35ed0f8ef576c1424c52b580115b26149bd224ffc768", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "727a8477-2588-592b-91a5-cbe1586b1704", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610706Z", "creation_date": "2026-03-23T11:45:29.610708Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610714Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a072197177aad26c31960694e38e2cae85afbab070929e67e331b99d3a418cf4", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "727c2643-8669-5189-85b0-29713dec87da", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828185Z", "creation_date": "2026-03-23T11:45:31.828187Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828192Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "42b1ed800666677389698c484d15b6ca791393636b27a5111c1e34b5de11b462", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "727c34d7-8c9f-5410-b3bc-ab2f53639a11", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815880Z", "creation_date": "2026-03-23T11:45:31.815882Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815888Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b1e4afb828ebe4b942a8e6a25aee656978505014c66e75f8a337c564392ef666", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "728bfa36-9839-5e1d-b6fb-6623911c4548", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458137Z", "creation_date": "2026-03-23T11:45:30.458140Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458149Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5a661e26cfe5d8dedf8c9644129039cfa40aebb448895187b96a8b7441d52aaa", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "729271a8-b91e-52aa-bf62-29b9d8258387", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498632Z", "creation_date": "2026-03-23T11:45:31.498635Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498643Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "412144f010eb05a990869c6ff36e7ddc1da7655a627dd61b3b524c19e46c7f12", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "729ba945-2635-5f7c-85ac-361586b252a6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982032Z", "creation_date": "2026-03-23T11:45:29.982034Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982040Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c2d209ed240027608003f8d32b621f8baaf5601aaf348e64269e4457a594c7c3", "comment": "Vulnerable Kernel Driver (aka PCHunter.sys) [https://www.loldrivers.io/drivers/a261cd64-0d04-4bf5-ad73-f3bb96bf83cf/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "72a35022-1f84-560d-b2c3-fb64df534ae6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984338Z", "creation_date": "2026-03-23T11:45:29.984340Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984345Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f581decc2888ef27ee1ea85ea23bbb5fb2fe6a554266ff5a1476acd1d29d53af", "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "72aac524-22a4-5d1f-90ec-ab810689f95d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453695Z", "creation_date": "2026-03-23T11:45:30.453699Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453707Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f2cf5653792f32013c6bf8afb2217953708c7040e248ee7a48543e78097c4512", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "72ad6b69-1af0-567f-bd00-94c10f8bf768", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463558Z", "creation_date": "2026-03-23T11:45:30.463561Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463569Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "94c71954ac0b1fd9fa2bd5c506a16302100ba75d9f84f39ee9b333546c714601", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "72afebbf-9154-5489-866e-948e51ca34cd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611044Z", "creation_date": "2026-03-23T11:45:29.611046Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611052Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6045d564286f00fc1efedd25ffd22ecb7eaf2b3a6c778e392319380c77e45658", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "72b8909f-768c-5a1a-a321-edbd592898d2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145182Z", "creation_date": "2026-03-23T11:45:31.145184Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145190Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bce6677edd89a2cb72b1c81629be195a6d53efda931d4de08cb3c3feda90cda8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "72c1cca8-fb1d-5567-aac7-057b3b5797fc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469427Z", "creation_date": "2026-03-23T11:45:30.469430Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469439Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c24d0fa3ec5fae870fb0a4e38943d396929d78165354bae56ae5730eb4d062e1", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "72c90592-7188-5fc0-8727-bbcf438d87c2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145488Z", "creation_date": "2026-03-23T11:45:32.145491Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145496Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "628c559f9f5de53cad74bc1f0c489bbe1aa5ef5672f47f73c0bfff1fcf98faca", "comment": "Malicious Kernel Driver (aka driver_4fc254af.sys) [https://www.loldrivers.io/drivers/85335187-dae0-4f06-acea-209efaf74973/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "72de97b8-155e-51fe-84c3-d493fb200f4f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605430Z", "creation_date": "2026-03-23T11:45:29.605432Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605438Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "72e67650-995a-5488-b184-cad2a82ff6c3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480227Z", "creation_date": "2026-03-23T11:45:30.480229Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480234Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae73dd357e5950face9c956570088f334d18464cd49f00c56420e3d6ff47e8dc", "comment": "Vulnerable Kernel Driver (aka GEDevDrvSYS.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "72f131e6-fc37-5b83-9b2b-3cb5a3a479d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826710Z", "creation_date": "2026-03-23T11:45:30.826712Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826718Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7be4d4fe36fc8d9cb95f9b5a9cacc6387c1cb3e7f3e0774cd1713adbe25585fc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "72fb555d-f5dd-5a3c-8401-f19285b80606", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967856Z", "creation_date": "2026-03-23T11:45:29.967859Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967866Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff284e41b303db67aefcf22328b53712a80552741bdf2707cdc53c4a56db61aa", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "72fd2e96-a93e-5e91-a732-63f1a02402ad", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489777Z", "creation_date": "2026-03-23T11:45:31.489780Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489788Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1153d489159dbfc0f73b382b5fe7a65decb407c5bd660a1d75bacbb0bf480cf0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "730bbf03-ae27-5262-b332-9ec122cf6409", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821583Z", "creation_date": "2026-03-23T11:45:31.821585Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821591Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee3524f84250982770fe9c8b87a03e52559ae6bf0267977b23331c1cd944912f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "731d47d9-a017-5c36-8c12-4343ae84b791", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459215Z", "creation_date": "2026-03-23T11:45:30.459218Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459227Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5c54a5cd3386ac14725a07962562e9fdcefbb7be0d19803f9d71de24573de1e3", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7328f342-5d06-5eaf-b068-ce74ec11b350", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604986Z", "creation_date": "2026-03-23T11:45:29.604988Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604994Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "48e385449293884fd8b960a5aafd638fd67b86a4e344ab8aa8b330c333e2f6de", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7331b3ad-2d92-52a9-b0de-2923f9512335", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466777Z", "creation_date": "2026-03-23T11:45:30.466780Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466790Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "41ad660820c41fc8b1860b13dc1fea8bc8cb2faceb36ed3e29d40d28079d2b1f", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "733d2009-8fc2-5f88-9a2c-6a9bcadd11aa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146923Z", "creation_date": "2026-03-23T11:45:32.146927Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146935Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b2ff9ef50ae037bb003d7157ea8da008a48f715a78c644b5f027b070bf5eb049", "comment": "Vulnerable Kernel Driver (aka CSAgent.sys) [https://www.loldrivers.io/drivers/ca6455d1-b06e-496c-be33-f89c41b27540/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "73484597-63ac-5e39-8904-5c2d5ce45e55", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493347Z", "creation_date": "2026-03-23T11:45:31.493349Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493354Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bfcc07c38577184a196241d9ec950a897283e9035f5691fd98ef0b8a4217fc95", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "73493972-6467-5cd4-9ac3-b97ab76eb082", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606121Z", "creation_date": "2026-03-23T11:45:29.606123Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606128Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6bfc0f425de9f4e7480aa2d1f2e08892d0553ed0df1c31e9bf3d8d702f38fa2e", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "734d7179-7067-54c2-b2f0-c9dd85c4cc10", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156483Z", "creation_date": "2026-03-23T11:45:31.156485Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156491Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a54fd22d8f78a8ba931972bf703eda24671c6d892c1fb979c8902ee27202a120", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "734e34d7-746e-5d75-9128-8cf79408d400", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486230Z", "creation_date": "2026-03-23T11:45:31.486234Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486244Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "54c6aaa465b70002a698d098850be2dc8fc24cc91dc8c60fc93f809b1ff34e8d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7360fccd-6978-5146-8d22-e6350ddc6209", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453313Z", "creation_date": "2026-03-23T11:45:30.453316Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453325Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3140005ce5cac03985f71c29732859c88017df9d41c3761aa7c57bbcb7ad2928", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "73720332-876e-5d5a-9788-80e5c2797fb1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490506Z", "creation_date": "2026-03-23T11:45:31.490508Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490513Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1d5b5e581f7148fabe40f58754b08c9ecf1d0a7d463243c97ec69dea86bf29a6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "73743ef2-68f4-5751-8099-b0043b53bd69", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980498Z", "creation_date": "2026-03-23T11:45:29.980500Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980506Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "30d737a6da29ad2fe035c0a5f1f7a423a8cd96b8f3dc9885fe95ef3333478dd7", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "737af276-81ed-5d37-aa7a-aa470290a730", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498550Z", "creation_date": "2026-03-23T11:45:31.498553Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498561Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "89ef99feca2c7e781e1a8986cb8367c4a46a90f9a4640e7b29756ff05851ec43", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "73820eaf-499d-5319-b3d7-63f67d6d2ac6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606647Z", "creation_date": "2026-03-23T11:45:29.606651Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606657Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c70f2a3b20ba75fd8d14daab331dfbf341c455cd6bcc1969092ec4559261bcf", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "73883859-5576-5d8b-b231-250f9a6cf956", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977090Z", "creation_date": "2026-03-23T11:45:29.977092Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977097Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c9532a354c24fd256c24534c554bca5a126414eb496dbd3223fe9486418df2ea", "comment": "HP Hardware Diagnostic's EtdSupp vulnerable driver (aka etdsupp.sys) [https://github.com/alfarom256/HPHardwareDiagnostics-PoC] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "738a5fe3-89b7-5799-8e30-217cc112b6cd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613807Z", "creation_date": "2026-03-23T11:45:29.613808Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613814Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "410f02303292798ab2a8b3e7d253938b466e83071b15e7d3aaa25f4995b27187", "comment": "Vulnerable Kernel Driver (aka Bs_Def.sys) [https://www.loldrivers.io/drivers/3ac0eda2-a844-4a9d-9cfa-c25a9e05d678/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "739178d9-a60a-5511-aa1d-d4a0f1820332", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819343Z", "creation_date": "2026-03-23T11:45:30.819344Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819350Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c92df36fa57fd215aef78a016c6cf6bd535bb3472ce4eb07e403535daa96318c", "comment": "Vulnerable Kernel Driver (aka hwdetectng.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "73a0b036-fede-5775-900e-de25ef5ab872", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829182Z", "creation_date": "2026-03-23T11:45:31.829186Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829195Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7dc7e4e72bcaa9e7b67f440a2d69b6656b9092ca1a2897fe14905826695432ee", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "73a40aff-4771-5836-9e72-abb7a343aa27", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976119Z", "creation_date": "2026-03-23T11:45:29.976121Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976126Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "filename", "value": "systeminformer.sys", "comment": "SystemInformer driver (aka systeminformer.sys, formerly known as kprocesshacker.sys) [https://github.com/winsiderss/systeminformer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "73ad278c-5ee5-5ad1-a7bd-76016804d5d3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622191Z", "creation_date": "2026-03-23T11:45:29.622193Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622198Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "362c4f3dadc9c393682664a139d65d80e32caa2a97b6e0361dfd713a73267ecc", "comment": "BioStar Racing GT EVO vulnerable driver (aka BS_RCIO64.sys) [CVE-2021-44852] [https://nephosec.com/biostar-exploit/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "73bc7830-8325-5279-b26e-6103889f1b9c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983351Z", "creation_date": "2026-03-23T11:45:29.983353Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983359Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d4335f4189240a3bcafa05fab01f0707cc8e3dd7a2998af734c24916d9e37ca8", "comment": "Vulnerable Kernel Driver (aka kbdcap64.sys) [https://www.loldrivers.io/drivers/6a7d882b-3d9d-4334-be5f-2e29c6bf9ff8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "73bf3515-24d6-536b-94c9-c8f90fede636", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817160Z", "creation_date": "2026-03-23T11:45:30.817162Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817168Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c11dec1571253594d64619d8efc8c0212897be84a75a8646c578e665f58bf5d", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "73ca0d88-49b7-5b9b-a3b4-bd8d6309c0b5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478600Z", "creation_date": "2026-03-23T11:45:30.478603Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478613Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b5d0849fc567c169176c2002dd358240d75ca0aacfca92c79d252006c6e0444e", "comment": "Vulnerable Kernel Driver (aka vboxdrv.sys) [https://www.loldrivers.io/drivers/2da3a276-9e38-4ee6-903d-d15f7c355e7c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "73cf54bb-309c-5fdc-96b7-a0ff25497176", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456219Z", "creation_date": "2026-03-23T11:45:30.456222Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456231Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7a1feb8649a5c0679e1073e6d8a02c8a6ebc5825f02999f16c9459284f1b198b", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "73d6b906-a4c7-5d45-bb89-2f8aa6478a14", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474502Z", "creation_date": "2026-03-23T11:45:30.474505Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474514Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e43be62587d7c4bb371bc0a1142a87a2a021bd0dcfd6cd107a50837c109e3ba", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "73dc7e36-4871-53b0-bd8d-da5f2abe3746", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975467Z", "creation_date": "2026-03-23T11:45:29.975471Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975481Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8b5153404fe836cf93237c50977cdb28a3bbd9663bdf63f5bfa26e65e1d00b3f", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "73ddf34d-96d9-5e29-a452-bf1fb213a85d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478830Z", "creation_date": "2026-03-23T11:45:30.478833Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478842Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6165491e8391eac9c0e3b9a2a31e1692a567c16cbfa36d7a88c401ffae1f6c63", "comment": "Vulnerable Kernel Driver (aka asas.sys) [https://www.loldrivers.io/drivers/dbb58de1-a1e5-4c7f-8fe0-4033502b1c63/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "73e12948-d6cf-587a-8eb2-0409c5c52eb8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140782Z", "creation_date": "2026-03-23T11:45:31.140784Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140790Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ef9485e039d30ff71e9894ec4bbe2efce32ca9ecf1bb919dffb5f6cebea00993", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "73ecfaf9-84ee-52b1-97ec-bec6a5c8a563", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820617Z", "creation_date": "2026-03-23T11:45:30.820618Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820624Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "64dddd5ac53fe2c9de2b317c09034d1bccaf21d6c03ccfde3518e5aa3623dd66", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "74094e0f-5873-58cd-afe2-daa8ac9540a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475379Z", "creation_date": "2026-03-23T11:45:31.475383Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475393Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bb1dd60610ec06f02801006be2e9c4274d7ae3e6a3b17d6760f27f470d16d3ac", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "741bafce-1532-5559-96e6-328a42db91ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827017Z", "creation_date": "2026-03-23T11:45:30.827019Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827024Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "27f8831c710ae2471f6c35d2311e690b36acc9d31d466b22ff7ffbfe1ef3ced8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "742a06af-a2f1-5a07-800e-16816dea1c63", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610828Z", "creation_date": "2026-03-23T11:45:29.610830Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610836Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "df0dcfb3971829af79629efd036b8e1c6e2127481b3644ccc6e2ddd387489a15", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "742e502b-88e4-5596-9cbd-b6f31ddd363d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156740Z", "creation_date": "2026-03-23T11:45:31.156742Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156748Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "643d283d908f4ac343a878d98b6477cbb6eba4424ca6ad85341e91237d288b06", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7432fa8b-24e3-57c8-a2d1-4d7e41c7415e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822607Z", "creation_date": "2026-03-23T11:45:31.822611Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822619Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b37dbd665e83bb8554b6f46b1246bb8cac9dba98963b319a037cde6495b2ad71", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "744cbc20-393c-5bf0-9d87-ddc23081795b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976010Z", "creation_date": "2026-03-23T11:45:29.976012Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976018Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "01b9a38c08e8a143c2e51768bd6c227367d1502c090033beddec5a89f50ca4cd", "comment": "SystemInformer driver (aka systeminformer.sys, formerly known as kprocesshacker.sys) [https://github.com/winsiderss/systeminformer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "744ddd60-3539-5e4f-a94c-3eac1b4afb1d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160891Z", "creation_date": "2026-03-23T11:45:31.160893Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160898Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a8a37ef69dbc56da1ffeb5cc8bb7bca2b2472513af7614ce7e562b0f92082540", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "745543b6-1ac7-515f-9cd3-af4350d7eec9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463978Z", "creation_date": "2026-03-23T11:45:30.463981Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463990Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "baf7fbc4743a81eb5e4511023692b2dfdc32ba670ba3e4ed8c09db7a19bd82d3", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "74559025-6519-5942-9168-3de2542a624a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975184Z", "creation_date": "2026-03-23T11:45:29.975186Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975191Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff9623317287358440ec67da9ba79994d9b17b99ffdd709ec836478fe1fc22a5", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "745fe60c-3216-5e5a-918c-c6cc49284a1f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609884Z", "creation_date": "2026-03-23T11:45:29.609886Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609892Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0e291148da43ea6a491b8b94bdf573365087940c9b90f6a15a4e589da86a518d", "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "74741935-c3e3-5dd9-9e2f-58cd9cc0b340", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156690Z", "creation_date": "2026-03-23T11:45:31.156691Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156697Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "145c0df9b3bd1e84373cec313183eb7273048b861c3bdc46d23597ee8807a156", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "74766a75-53cf-5cd3-9f99-eb7db319c3bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494692Z", "creation_date": "2026-03-23T11:45:31.494694Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494699Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e2cec63897dd10f604a4485aacb062e1546be7cb4d787557f0b37eddcf1edd8a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "74889480-071e-5974-b914-5878e9ab1680", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828561Z", "creation_date": "2026-03-23T11:45:30.828563Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828568Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd7bafa95c2e3dd217c40c03b3e5224daa6cf2b8969baaa9d7e3d90e172ea5e3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7488e995-e400-5d91-be4b-376c9206c052", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475856Z", "creation_date": "2026-03-23T11:45:30.475859Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475868Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "72b67b6b38f5e5447880447a55fead7f1de51ca37ae4a0c2b2f23a4cb7455f35", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7492167f-7ebd-517f-8108-6c45cb37ca1b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818347Z", "creation_date": "2026-03-23T11:45:30.818349Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818354Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "90574d2c406b9738aae8fc629c3983c5e47a6282a43b052f38b5dd313380c30a", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7495af6f-44cf-549a-b65c-e2fb0bf836c8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604664Z", "creation_date": "2026-03-23T11:45:29.604666Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604672Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a689804c4e6e9aa07d48f9c99b7a1be6b05cba1c632b1a083b8031f6e1651c28", "comment": "Vulnerable Kernel Driver (aka mydrivers.sys) [https://www.loldrivers.io/drivers/d9e00cc7-a8f4-4390-a6dc-0f5423e97da4/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "74a4f858-1ec9-5461-b804-0cd57f1787be", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977414Z", "creation_date": "2026-03-23T11:45:29.977417Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977426Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9d58f640c7295952b71bdcb456cae37213baccdcd3032c1e3aeb54e79081f395", "comment": "Vulnerable Kernel Driver (aka ProtectS.sys) [https://www.loldrivers.io/drivers/99668140-a8f6-48f8-86d1-cf3bf693600c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "74b2309d-00f0-5038-a8de-206213123154", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156327Z", "creation_date": "2026-03-23T11:45:31.156329Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156335Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b1af3c4cd93f51d6aa2e77729fc7b8f0246dbcd08a022906dfddbce7bd430aaa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "74b56757-e00c-51c1-9e0c-e8426c467bce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970089Z", "creation_date": "2026-03-23T11:45:29.970090Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970096Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9d736f624a306d6e2399778dd92ab7f4f7ab33c6ca0528657bc026214f990a4f", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "74bc10aa-13ec-5d1e-8aee-7d7889e1efbf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820651Z", "creation_date": "2026-03-23T11:45:30.820653Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820658Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6d2cc7e1d95bb752d79613d0ea287ea48a63fb643dcb88c12b516055da56a11d", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "74cc68b9-6c07-52b2-a64c-d5b104702f95", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153042Z", "creation_date": "2026-03-23T11:45:31.153045Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153053Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8eaac070c8aab78970a262f7f2f072c546587ad98aff0211c2ba2450a3011d91", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "74cccde6-396b-5bae-9688-0c46891d793b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146546Z", "creation_date": "2026-03-23T11:45:31.146549Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146554Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cc2817ba92143e5ce61d39b25e41cc2af61c405dc3201b6e25463e70b88b008f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "74cda055-ac2b-5cb9-9583-57688716e410", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620370Z", "creation_date": "2026-03-23T11:45:29.620371Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620377Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9a1d66036b0868bbb1b2823209fedea61a301d5dd245f8e7d390bd31e52d663e", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "74d3557f-ba46-5358-9939-6bbbe91ee93e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968562Z", "creation_date": "2026-03-23T11:45:29.968564Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968570Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ce81759bfa236913bbbb9b2cbc093140b099486fd002910b18e2c6e31fdc4f1", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "74d68951-fee8-5771-a7fe-683a0ebceb53", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819490Z", "creation_date": "2026-03-23T11:45:31.819493Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819501Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae69fe60af8e539c0448ff886b64a5b6cf4724118134d8e68fa1e038fd6bdf63", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "74dad053-0838-5502-85f5-3fc0587f52c7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148572Z", "creation_date": "2026-03-23T11:45:31.148574Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148580Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9e5f9cd77bc75592166179972748adbd5f5ba1cee16befcfa65ac688ad8a6799", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "74db39c3-270a-5bc4-86e6-0ac39a8ec4e1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827085Z", "creation_date": "2026-03-23T11:45:31.827087Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827093Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cf433c0c2769fff006a0728b189c37683be8a77f7a981c9dce46c4eea6990e22", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "74eaa6f0-9357-5613-9e8e-8605a687c639", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813426Z", "creation_date": "2026-03-23T11:45:31.813428Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813436Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e85389084d4e3680d8183d94089ca54e8d706305b4fe0400737d200c74c6fa11", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "74f8f6d6-8796-5fdc-8ed5-b4d8c962f2ed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144884Z", "creation_date": "2026-03-23T11:45:32.144886Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144892Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aa20aa2316cd6d203146bd2bc5b7466ba7b83a8500654a688172bcafa82ab168", "comment": "Vulnerable Kernel Driver (aka tboflhelper.sys) [https://www.loldrivers.io/drivers/07c57c69-c8d7-40cf-8bcc-612671427044/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7500a648-c37e-5c74-8f90-3a6ddf2cb00e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834965Z", "creation_date": "2026-03-23T11:45:30.834969Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834978Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f262595446d780dccdc21575dc7ea3cc4693a183526d5e31df12af553f5f3c76", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "750e8b21-baa9-52ce-a9aa-f655379a3f5f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968596Z", "creation_date": "2026-03-23T11:45:29.968598Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968604Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3b6e85c8fed9e39b21b2eab0b69bc464272b2c92961510c36e2e2df7aa39861b", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "751b809c-2385-56d1-925c-b3447281af4a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144985Z", "creation_date": "2026-03-23T11:45:32.144987Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144993Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4143a5bbea0d303c22d6edc6f43463e336eea9144218e02adad72133266130d2", "comment": "Malicious Kernel Driver (aka driver_d1ea9e16.sys) [https://www.loldrivers.io/drivers/8697785a-d088-42a7-ac25-b5c8a3b22664/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "751f5975-5a61-54ae-a9be-b39784c83c55", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143467Z", "creation_date": "2026-03-23T11:45:32.143469Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143474Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6278bc785113831b2ec3368e2c9c9e89e8aca49085a59d8d38dac651471d6440", "comment": "Vulnerable Kernel Driver (aka wsdkd.sys) [https://www.loldrivers.io/drivers/a8f2da2a-369c-4b4d-9a00-d7a892b9f7c3/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "75303b7d-b6fe-5e28-bc87-951f180ee16e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617521Z", "creation_date": "2026-03-23T11:45:29.617523Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617528Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2952ae305f9e206bb0b6d7986f2b6942656c310f9d201cf2e2dd6e961c18804e", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "75474ac6-f4ed-5ea2-a25f-db887733fc9b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472374Z", "creation_date": "2026-03-23T11:45:30.472377Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472386Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d366cbc1d5dd8863b45776cfb982904abd21d0c0d4697851ff54381055abcfc8", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "75485e95-4fc0-5e5e-b29b-f58a4a1e65d7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830429Z", "creation_date": "2026-03-23T11:45:31.830431Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830436Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4d54f1068df426973293ef4a2600642f1bb355511a81fa7d69526dd6ca88f9c0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "754a2f56-6765-5bed-84d8-193cdd9e7f0c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148881Z", "creation_date": "2026-03-23T11:45:31.148883Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148888Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eaffbe1b1d732fac8ea2fd78b6a9272d08c89c90d8be590a1128c20e4f34a010", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "754ac519-0359-5e43-876a-5ce0ba54375d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622140Z", "creation_date": "2026-03-23T11:45:29.622142Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622147Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7ec93f34eb323823eb199fbf8d06219086d517d0e8f4b9e348d7afd41ec9fd5d", "comment": "NamCo vulnerable driver (aka smep_namco.sys) [https://securelist.com/elevation-of-privileges-in-namco-driver/83707/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "755cb237-a350-5483-8d46-399d1e7fd91a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610124Z", "creation_date": "2026-03-23T11:45:29.610126Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610131Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "34bee22c18ddbddbe115cf1ab55cabf0e482aba1eb2c343153577fb24b7226d3", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "75733e07-93b7-5fb8-bad7-f9037248eb13", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618057Z", "creation_date": "2026-03-23T11:45:29.618059Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618065Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4737750788c72d2fc9cf95681c622357263075d65b23e54c4dc3f31446cad37b", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "758ec7c1-8ea9-5995-a603-90db92ea0309", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823713Z", "creation_date": "2026-03-23T11:45:31.823715Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823721Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5483d329abd393f8210f4c2ac1ac869d0460437a3f02d2b12bce5d79efb6094c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "75902a3f-6097-5473-bf71-acad317b735e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617731Z", "creation_date": "2026-03-23T11:45:29.617733Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617739Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "71dc8d678e0749599d3db144c93741f64def1b8b0efb98bef963d2215ebb4992", "comment": "Cheat Engine dangerous driver (aka dbk64.sys) [https://www.loldrivers.io/drivers/1524a54d-520d-4fa4-a7d5-aaaa066fbfc4/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "759199e1-0a20-5d1b-abd7-37733a1e1251", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823815Z", "creation_date": "2026-03-23T11:45:31.823817Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823822Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2cec449ef0979ac93a7ef6800ee545eea4e06c7fde1e845b6e03a4d876ecbf78", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7595d3f8-78b9-582c-91a1-1589b35bef58", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973810Z", "creation_date": "2026-03-23T11:45:29.973812Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973817Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "818e396595d08d724666803cd29dac566dc7db23bf50e9919d04b33afa988c01", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "75a4f09d-428c-5f4d-b71e-7b022902dc11", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151782Z", "creation_date": "2026-03-23T11:45:31.151785Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151795Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "91106ec1eca4aa843813fc2f938a6bd8a11479afd0994f84c4adf28e0ad628c5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "75af6210-5611-5f5d-8bc1-a25b1116707e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490644Z", "creation_date": "2026-03-23T11:45:31.490646Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490651Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2076e52665e419bb4001119a08c5cee2cb8931e534b2fa92a01112866ec0bd5a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "75b80154-0ed1-5d7e-8021-f594f6d9a19b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976228Z", "creation_date": "2026-03-23T11:45:29.976230Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976235Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fd223833abffa9cd6cc1848d77599673643585925a7ee51259d67c44d361cce8", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "75c26195-5de6-5df8-b9d0-984ae906647a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820065Z", "creation_date": "2026-03-23T11:45:30.820067Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820073Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5f5243c9d9638a23ccf0e32f54c585e5688a4a853ff04898281fa23697aaec34", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "75e09d81-e474-5593-818d-cd943503a42f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975325Z", "creation_date": "2026-03-23T11:45:29.975327Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975332Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "43b82200c2189aa63b332a62907f12fd5ad52fe275feca60fa9636555319518a", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "75ed486c-f9d3-5ef8-819a-59d1c697ac4d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483662Z", "creation_date": "2026-03-23T11:45:31.483666Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483675Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5d1e83cb1056ee615c4f03456d55dfc95a76f8afc64116728edd5c44ca7017fa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "75f7bce2-29d7-5d6a-9fb2-c55b8969f627", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604090Z", "creation_date": "2026-03-23T11:45:29.604092Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604097Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9f742d827a2e203a4c9d8fccb1daf2e85d451761fc9c0acb962dd6c447ef10ca", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "75f872d7-7c98-5539-86a9-cadd39823d63", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470990Z", "creation_date": "2026-03-23T11:45:30.470993Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471002Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "234664ae69df63d55c1477f3adc33ffdb130fc939c55c16e73e3339a133bcfa3", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "75f9d3a5-a896-5556-bff0-36bcdc84fcc7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.142939Z", "creation_date": "2026-03-23T11:45:32.142941Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.142947Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2fa50ee8ed9d5c91d3375950613132497c44f468193bce9fe8e51c918a9498b5", "comment": "Vulnerable Filseclab Driver (aka fildds.sys, filnk.sys and filwfp.sys) [https://twitter.com/SophosXOps/status/1764933865574207677] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "76015575-1679-5cbd-a935-eb28dc554abd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835375Z", "creation_date": "2026-03-23T11:45:30.835378Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835388Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d86194d55186fa5f976da6cdc8758411d8e3d6a221417ac815aa3ba148e0d90", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "76042022-c1f2-5fbc-8701-7d9c84598809", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982538Z", "creation_date": "2026-03-23T11:45:29.982540Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982545Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae", "comment": "Malicious Kernel Driver (aka daxin_blank1.sys) [https://www.loldrivers.io/drivers/1bf3b155-752a-4cc7-beb0-f202e525eb1a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "760a10b5-d13e-5837-8a1c-2b670477440c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983439Z", "creation_date": "2026-03-23T11:45:29.983441Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983446Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d25904fbf907e19f366d54962ff543d9f53b8fdfd2416c8b9796b6a8dd430e26", "comment": "Vulnerable Kernel Driver (aka Blackbone.sys) [https://www.loldrivers.io/drivers/b9b835bd-b720-424b-9160-2442bc4d6e58/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "76145b10-7db1-529f-8f28-c94951fae112", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979342Z", "creation_date": "2026-03-23T11:45:29.979344Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979349Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7616a600-1824-5b3e-87f4-6c3e8b65dda9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816834Z", "creation_date": "2026-03-23T11:45:31.816838Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816846Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab47c98ad0fd5bd499a9b64e8697049658e4e7f4e3ac5573d6d776578749cc80", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "761eae45-3d62-5d71-8891-f4ba44272805", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610388Z", "creation_date": "2026-03-23T11:45:29.610390Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610396Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "49329fa09f584d1960b09c1b15df18c0bc1c4fdb90bf48b6b5703e872040b668", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "76344f3f-8ead-5fef-8bae-1f4d73eff66f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605576Z", "creation_date": "2026-03-23T11:45:29.605578Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605583Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "37a165ae09645763189c2a973475d744bf3897f267dcca673b6b57477d9f8b38", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "764892de-3027-5ee3-95c4-4f1603a45696", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154501Z", "creation_date": "2026-03-23T11:45:31.154503Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154509Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a7e0b9e529533471060e5cd0f9fbed341d18225a58a12c6c13c615ae062cb1e5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "765e9e57-fd6e-5860-8839-d7751018ab24", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460152Z", "creation_date": "2026-03-23T11:45:30.460155Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460164Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "96df0b01eeba3e6e50759d400df380db27f0d0e34812d0374d22ac1758230452", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "766256c7-dd82-57c9-beb8-0985e5a500b9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464006Z", "creation_date": "2026-03-23T11:45:30.464009Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464018Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "36c65aeb255c06898ffe32e301030e0b74c8bca6fe7be593584b8fdaacd4e475", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "766b7dd5-d1d1-544e-b883-4d9cc4f4a7ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979653Z", "creation_date": "2026-03-23T11:45:29.979655Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979663Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff6108dd2017f9bc7ea93c43c1afbda0f1cc7b00f5afafb4ce3cf0a193e9598b", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "76844164-ac86-5ad3-aff5-58974bb72639", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984303Z", "creation_date": "2026-03-23T11:45:29.984305Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984310Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f8965fdce668692c3785afa3559159f9a18287bc0d53abb21902895a8ecf221b", "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "769629b5-ebad-5c09-9c82-c7bb5df069c3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618807Z", "creation_date": "2026-03-23T11:45:29.618808Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618814Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7680d9b4f66fe4fe9d4a45f2ebdb3f17e7d3e2519e0b61d691761a2222cf444b", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "769e350c-e261-5936-a125-4a39e839a3bc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480460Z", "creation_date": "2026-03-23T11:45:31.480465Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480475Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "93e5d1ed74e874f2d17b24df51e55061cffdb9ea0226c4a41f38bbd43e97f18b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "76b2a15c-a747-5ad6-9011-3b8fbad5d476", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813758Z", "creation_date": "2026-03-23T11:45:31.813760Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813765Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c84521ad34c174640e0ce2b640fad0acd48485167eedac86e3485b3768da946", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "76cfdb22-592f-55ed-8b53-159787a42f90", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970455Z", "creation_date": "2026-03-23T11:45:29.970459Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970467Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f83d1913ba46517737c2667cb3652787523480347a12a5b69f8bdd2cb5242e49", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "76d06454-e42e-5a32-b674-19917bbccade", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816436Z", "creation_date": "2026-03-23T11:45:30.816438Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816444Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "22901319d041f2650d1ade9a8f66f7e6993800d1c20e6014b7da6642d0e8d90e", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "76d5cca2-96ea-5a92-ba02-deb8f0eb9be4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612057Z", "creation_date": "2026-03-23T11:45:29.612059Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612064Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0c7809ac1fa074408518ddc0ac118912c9cd43ed9c89213bc4d59043016b040c", "comment": "Vulnerable Kernel Driver (aka test2.sys) [https://www.loldrivers.io/drivers/6356d7d9-3b82-4731-9d5f-cc9bc37558fc/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "76d70b7b-6bd6-5527-95e7-eb8990ccc167", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975690Z", "creation_date": "2026-03-23T11:45:29.975692Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975697Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c5647d315fb5ca1dcf4b063ea3f54003e2545739871519b8f2c98dc5baf66bac", "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "76dfdd88-6c77-5e96-a6c7-0a658e17edb9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143113Z", "creation_date": "2026-03-23T11:45:31.143114Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143120Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f7c82d65a8d7904e0581339770a14596b5a40fa1b24de8942b79006c05e11d6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "770ccf2e-a419-5f56-9c2c-568bd0aea266", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492521Z", "creation_date": "2026-03-23T11:45:31.492523Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492529Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b50c9fa91866a60c381d7691f04ee27b190a65bda1f445abfe9e4e6d8e8c19d1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "771689b3-904f-5d20-86f8-1a8a44d0550a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835975Z", "creation_date": "2026-03-23T11:45:30.835977Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835983Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd07ce8faab0241f38ff052c0b3b204b4432b43c79bed23422f415fed668e132", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "771a29fa-88e5-5781-97be-6f5132e74d79", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453402Z", "creation_date": "2026-03-23T11:45:30.453405Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453415Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aeaafcb5d6a7f0354915c615bd0cf0e024168d17bd87d4dfe0bd60099482b4a4", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "771c28e8-4da4-5e50-b2aa-cdf38d259aff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812509Z", "creation_date": "2026-03-23T11:45:31.812511Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812516Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2d7e5463bc619227af0b1700bcf487269d5fea0d2f4e9fdab496271110112cc5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "773c71f0-ef94-5d29-a59f-a479d431d04e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968332Z", "creation_date": "2026-03-23T11:45:29.968334Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968339Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ebbaa44277a3ec6e20ad3f6aef5399fdc398306eb4c13aa96e45c9a281820a12", "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7756f2a4-5d47-5fe3-a841-f11b39d64f3a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160276Z", "creation_date": "2026-03-23T11:45:31.160280Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160289Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "10d2d4f5810d9626ac57c4463810d4cf663bf7d03a0c0875a41df2dc86d57f93", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7757368c-56ac-5191-b1a5-2886c1831ec1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829237Z", "creation_date": "2026-03-23T11:45:30.829239Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829245Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9c7c7d374576e95e93c1ddd70d2d879c56f3e34d7073164e9186aa6fc6431fea", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7758d1c7-64eb-5470-b886-46e0fcd62118", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145623Z", "creation_date": "2026-03-23T11:45:31.145625Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145630Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "69a8e57b60cec2be20e3ccb5df2e019a000d29120b05294b98f1453ea2386333", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "775edca8-bf4b-51c5-b245-c39dfd3bebec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489057Z", "creation_date": "2026-03-23T11:45:31.489059Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489065Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3653b2e37210321129e87c3acd7572bd0200bb13a68fa382705ec79c02c6f3ad", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "77653978-2015-5199-b8ec-3a6c948a2fb1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486346Z", "creation_date": "2026-03-23T11:45:31.486349Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486357Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9551a6958011dd3b5c70fa7ec25b4d1decff0d8e9ba9875bacab06adc6eed9e8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7769ba24-8dd4-50da-afed-b6a468b3bcdd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460891Z", "creation_date": "2026-03-23T11:45:30.460894Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460904Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4eb1b9f3fe3c79f20c9cdeba92f6d6eb9b9ed15b546851e1f5338c0b7d36364b", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "776a8b23-bee6-55d5-a2a5-7b462d0e3160", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617782Z", "creation_date": "2026-03-23T11:45:29.617784Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617789Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c9cf1d627078f63a36bbde364cd0d5f2be1714124d186c06db5bcdf549a109f8", "comment": "Getac Technology vulnerable BIOS update tool (aka mtcBSv64.sys) [https://www.loldrivers.io/drivers/3bc629e8-7bf8-40c2-965b-87eb155e0065/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7777b725-f411-5be2-a4cc-0ecc91efcfe2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144334Z", "creation_date": "2026-03-23T11:45:32.144337Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144342Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "289761eef2976b001879181b97324408e849729dbf41403fb73ee85565667012", "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "778d68f5-f8fc-5f57-884b-750a324caebb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145570Z", "creation_date": "2026-03-23T11:45:31.145572Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145578Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f3ec72b09bf08acde63cb70be268d3dc8024e475a09016be6ba84389613842f0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "779ad2b7-43c4-59c1-9613-a69705cb4a6d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605953Z", "creation_date": "2026-03-23T11:45:29.605956Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605978Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bdbceca41e576841cad2f2b38ee6dbf92fd77fbbfdfe6ecf99f0623d44ef182c", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "77ab0f68-a723-5bc1-88bd-a3d02660da9f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150000Z", "creation_date": "2026-03-23T11:45:31.150002Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150008Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "10aef6faf4aacd54afa01b6e5476be5c5c12bf65fb938150a23058646cf006ed", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "77ac351a-d90f-5f9b-85e3-bb9ef210e769", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969452Z", "creation_date": "2026-03-23T11:45:29.969454Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969460Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2cd8e9eb8e4754f07fdfc8c3aae4d7fc0d25b346884c3474db35c757d2994b34", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "77af0422-e09d-5357-905f-a31d166784ea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487613Z", "creation_date": "2026-03-23T11:45:31.487615Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487621Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "653ed33a842c6b966785d9cf3e1e794e28585305e989f70954ccf0e9f9126444", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "77b2ede8-c6ef-595f-87a9-78cc356f5e7a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829501Z", "creation_date": "2026-03-23T11:45:30.829503Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829508Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f5b43b85c87271641e2ac41768851284a02b3eb578946a32c9b0e762f2c00dcc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "77b45c06-d4fb-5167-b87b-420515322979", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490243Z", "creation_date": "2026-03-23T11:45:31.490245Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490251Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ddb9683ac78ea953dc06145752a8662f16485eeddbcca3e7f466d3d148d2d2ce", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "77b5a870-8639-54ee-9d54-a7ff3674cb16", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622508Z", "creation_date": "2026-03-23T11:45:29.622510Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622516Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "092349aebdac28294dbad1656759d8461f362d1a36b01054dccf861d97beadf0", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "77b91e54-81ce-56d0-8587-ac1517abcbdb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469981Z", "creation_date": "2026-03-23T11:45:30.469984Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469993Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9fba340eece424f30bdf80126f2d72eba5165bc174ccfb5e240b281639f675e3", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "77c6fba4-3cc2-532a-93f2-a3648acc9a78", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810100Z", "creation_date": "2026-03-23T11:45:31.810103Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810112Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fc02b24769fc1f663fd40d2d4733e22276d08856730422f5595d4418d656a80f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "77d18535-fce9-5b08-b599-c1fee5dc51d9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478258Z", "creation_date": "2026-03-23T11:45:30.478261Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478270Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "07e8a7f0fcc8be78167704c6679c70ea184961f5a5bd2066620a4b7eeb939885", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "77dd89f9-ef8b-565c-b785-221113a73cec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607800Z", "creation_date": "2026-03-23T11:45:29.607802Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607807Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b1867d13a4cab66a76f4d4448824ca0cb3a176064626f9618c0c103ee3cb4f47", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "77fc4491-498b-520f-96ef-ced91cd7467b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815384Z", "creation_date": "2026-03-23T11:45:31.815386Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815391Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e4dd128411779f4e1e0a9b15dfec68c671e9b6b4b429c06668b048b15d230ea0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "77fcec05-7565-50a9-adf3-2393067c03ed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474474Z", "creation_date": "2026-03-23T11:45:30.474477Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474486Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "718e76d8cdcdf7b06342b5137f5591233aece4bf70fa9d761d38bd02993a0906", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7802e821-d9dc-5cdf-b254-4843786bf3c4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835954Z", "creation_date": "2026-03-23T11:45:30.835957Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835965Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "563a68c814f5f720b44eb252d2b4d10c048ff8034d5d44c9796862b9487a4e48", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "78110f68-ba90-5a8f-a4d4-bda3e7ac5e34", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836487Z", "creation_date": "2026-03-23T11:45:30.836489Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836494Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "823d2d249504e080aa8ca2af09f3b147675f21ba1953a0164efe3d9e90b7b12b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7817cbc4-ea14-5326-8e1b-1211056888ac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815898Z", "creation_date": "2026-03-23T11:45:31.815900Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815906Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "59a23a5ecb1d083892900e8590d97645cd01e6b6e1ae823144b833ff9311217f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "781863cd-dfa9-570a-88f3-6b80b7e5569d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144932Z", "creation_date": "2026-03-23T11:45:31.144936Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144942Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c490af54e5d4ae907873bcd1279907445b1f37413b4ec081a8b36bfb303db19d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "78190055-60c9-50ab-b3ab-d02cbf0c3dc0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827578Z", "creation_date": "2026-03-23T11:45:30.827580Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827585Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e3cff3b8a356b80eda5fd748c23691dd711b2d6553ff373e43dd4025b40b0ad5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7824f082-58f7-5f3a-ad77-d557d2a4bc99", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809544Z", "creation_date": "2026-03-23T11:45:31.809547Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809555Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "771b9b964d2e3d7a6743d28371622c14d6dd695ac5cc6a1b16449415608f50a7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "782a2e1c-0cc5-594a-bd9f-7e20daa50099", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144577Z", "creation_date": "2026-03-23T11:45:32.144580Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144585Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "966cc215b2b8eb69aab3393114a10b7e07ba83df5b2587cb47fd3b172a3fa7cb", "comment": "Malicious Kernel Driver (aka driver_312c83a9.sys) [https://www.loldrivers.io/drivers/495f0f36-c5e0-467d-8115-b5bdbe7ff686/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7830904f-3bea-5bd3-b2a1-0670d96b8abd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815832Z", "creation_date": "2026-03-23T11:45:31.815834Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815840Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7d15fdcd606dc03b61badd7cacba1a62ddab3aa5acc174bc4b3573beec377591", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "784639c3-8701-54cc-87a4-4514b6953fc5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828459Z", "creation_date": "2026-03-23T11:45:31.828461Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828467Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "045365894e5d26b620eff819cce3f823e114f7b25ed1cd50b870bf81444bbe8c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7846edc1-3f02-5bd5-b92f-8ebae75947fa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155632Z", "creation_date": "2026-03-23T11:45:31.155634Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155639Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4f0a2ac804c356a80313aa31dcc9c486cfd9078df64b65017d74be395d6cb9ec", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "784c165f-1e92-52c6-bd1e-108bd18b4df6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975913Z", "creation_date": "2026-03-23T11:45:29.975915Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975921Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ff09bb919a9909068166c30322c4e904befeba5429e9a11d011297fb8a73c07", "comment": "Gigabyte vulnerable driver (aka GVCIDrv64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "78595590-0f19-5b92-bf1a-74742f1f44f4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977916Z", "creation_date": "2026-03-23T11:45:29.977919Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977924Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a8c558e74ebe35a095a5b79d4bb26c10b18f8ebb449365e742f856d4e032555c", "comment": "Malicious Kernel Driver (aka daxin_blank6.sys) [https://www.loldrivers.io/drivers/3d1439e9-9a7d-497a-8c6c-74513f825d6a/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "785dbe37-862e-5e72-a198-c01f0b51e93a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816935Z", "creation_date": "2026-03-23T11:45:31.816939Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816955Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "001bdb1e584eede0b46a7fb21e678303e2370b2b176ecd7bba803d0afc2b244c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "78685f2a-35d1-5a09-bdee-24c61ed9963c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831145Z", "creation_date": "2026-03-23T11:45:30.831147Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831152Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f8a387b02f003e7a45f5e4a99fe2a52dc239e6e7f77383eb97e477ace0808f79", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "786d4b1a-9a1f-550b-943a-037be644c7ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979709Z", "creation_date": "2026-03-23T11:45:29.979711Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979716Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd759c6b9c4222c7b19e8b0ba7288d7395594d6884b9bcdf0ccfada3e6b7a8d5", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7874a311-e4b6-538d-acdc-63f401b6d801", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818399Z", "creation_date": "2026-03-23T11:45:30.818401Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818406Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "065a34b786b0ccf6f88c136408943c3d2bd3da14357ee1e55e81e05d67a4c9bc", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "787e30d4-7582-5d2f-b193-c77fa09b8ddd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969116Z", "creation_date": "2026-03-23T11:45:29.969118Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969123Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "17687cba00ec2c9036dd3cb5430aa1f4851e64990dafb4c8f06d88de5283d6ca", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7888a8d3-bdd8-533b-b862-c33714323e6f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453343Z", "creation_date": "2026-03-23T11:45:30.453346Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453355Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "84739539aa6a9c9cb3c48c53f9399742883f17f24e081ebfa7bfaaf59f3ed451", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "788cc8a2-8204-5039-99d8-10fa825d98ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146601Z", "creation_date": "2026-03-23T11:45:32.146603Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146608Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1df739ca8e7763776f84b421c7859fccb2fbfd47cf27f9980f646597f5ae7836", "comment": "Malicious Kernel Driver (aka driver_89036534.sys) [https://www.loldrivers.io/drivers/750a8aa9-a87c-4142-b96b-18ea139ada14/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "789a395a-0cbc-5aa1-ac63-97d2ec542285", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812756Z", "creation_date": "2026-03-23T11:45:31.812759Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812767Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "01ac08508f5e8224d00cee894d551ba032fb0c4f72addba4154b6d1fc710a25b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "78a649d6-5538-51fd-b671-49800400722b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974783Z", "creation_date": "2026-03-23T11:45:29.974785Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974791Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6bdf465db8860c80051d4d1b9db1c3153ab65c252f9500b85efc56d255b4cb1d", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "78aeb5c2-d17d-5edc-889a-d5eb1ba8c4e3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980993Z", "creation_date": "2026-03-23T11:45:29.980995Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981065Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e89afd283d5789b8064d5487e04b97e2cd3fc0c711a8cec230543ebdf9ffc534", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "78c0cf7d-5d08-501e-9259-31f7b1ca041b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614614Z", "creation_date": "2026-03-23T11:45:29.614616Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614621Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5d530e111400785d183057113d70623e17af32931668ab7c7fc826f0fd4f91a3", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "78c61919-9a0b-5031-8ba3-43d90e666e9f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159849Z", "creation_date": "2026-03-23T11:45:31.159852Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159858Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bc97e34326627da82b7c070491e018890190ad14224b153c4fca107eca0ff998", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "78cebc51-b13f-57fc-8f28-f657eeef5792", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825540Z", "creation_date": "2026-03-23T11:45:30.825542Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825548Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "314d5dbb5fcd4feb7560a129fc7167718d59e11c40586f2342e03a282910ec2e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "78d60d9b-5b21-549c-952b-0eb293816811", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617272Z", "creation_date": "2026-03-23T11:45:29.617274Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617279Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9305f0834e67aa16fb252bd30927e5f835639ef4b868f20d232260edffefd6f0", "comment": "Noriyuki MIYAZAKI's WinRing0 dangerous driver (aka WinRing0x64.sys) [CVE-2020-14979] [https://www.loldrivers.io/drivers/f0fd5bc6-9ebd-4eb0-93ce-9256a5b9abf9/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "78de01de-0931-5b75-a54a-ed0d0908936a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835176Z", "creation_date": "2026-03-23T11:45:30.835179Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835189Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5f37c74b4ef7804653d9c1aa12237c3b01caa297544db5e0b4cdb90e5f5a8be8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "78e444a6-050d-5276-88c2-f959ba6f201d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156904Z", "creation_date": "2026-03-23T11:45:31.156906Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156911Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5bfc2787dc5265a1c260409f6c42639c7aeed978924f4924f7c695083b184c30", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "78ef95d4-b94a-55a1-b9c8-753438d31203", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605267Z", "creation_date": "2026-03-23T11:45:29.605269Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605274Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "594b3e2ce945a7db3a16ef23da39997ddc12337266ecf8ad326ffcf2c4ee1bc8", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "78f2a00f-f06c-595a-bb4c-28577e09d7ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488170Z", "creation_date": "2026-03-23T11:45:31.488172Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488177Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0fa1f1e15af1793f292683e0ec1abb0ee60bf21a3ce8cd8792f859ead578e2ac", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "78f416b1-058f-5e1a-9dc4-1ab9965914b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981278Z", "creation_date": "2026-03-23T11:45:29.981280Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981286Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8ae383546761069b26826dfbf2ac0233169d155bca6a94160488092b4e70b222", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7909bf95-a53e-57eb-a90f-ed8b8981f3a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975255Z", "creation_date": "2026-03-23T11:45:29.975257Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975262Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "37f16c8232ec679ee400c76272fc9b56977524e70cfd5cce375ab79f4750bf64", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7913d6f9-9654-5c64-8d4f-7737b7911bfb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818860Z", "creation_date": "2026-03-23T11:45:30.818862Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818868Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7690ef2838bda2327116243c1792090125b36a5840464e010acdd103f7369807", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "791c6f5b-95b5-5737-80b8-af0fda71a54e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160421Z", "creation_date": "2026-03-23T11:45:31.160423Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160429Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f2291c7a5f6e186bf095ecb2a86d4ad42ca413a8d8075ee486f5b1c82599a19d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "792c92f7-1ec0-5043-87e3-2607a075b827", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825386Z", "creation_date": "2026-03-23T11:45:31.825388Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825394Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "93d7bbc215f593f416e1582ed7426837cccacb2e2e599ded297c524c294e2869", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "79341eb9-dd29-519f-9cda-c91be93de50c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820825Z", "creation_date": "2026-03-23T11:45:30.820827Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820832Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c586befc3fd561fcbf1cf706214ae2adaa43ce9ba760efd548d581f60deafc65", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "793a11e2-38d9-5fce-99ae-19a431425fea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981296Z", "creation_date": "2026-03-23T11:45:29.981298Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981303Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0bd164da36bd637bb76ca66602d732af912bd9299cb3d520d26db528cb54826d", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "795a64ed-a003-50c5-83bd-ee5f0070fe54", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821944Z", "creation_date": "2026-03-23T11:45:31.821946Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821962Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0e833157a12ac6f032c43616f5d9506674cc860a85add76cbd9d007c3ad09ad3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7960d647-9791-5344-a1ac-1759f380e604", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974052Z", "creation_date": "2026-03-23T11:45:29.974054Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974059Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e4d9f037411284e996a002b15b49bc227d085ee869ae1cd91ba54ff7c244f036", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7962022d-c3bf-5abb-9a67-2f7baf0bc17c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.815915Z", "creation_date": "2026-03-23T11:45:30.815917Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.815923Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1970400679c3ae7000f1ba3e0f12c2d5443df7fbb8947cabe45c7ae977806efb", "comment": "Vulnerable Kernel Driver (aka FPCIE2COM.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7962e7af-6356-57cd-9dcc-693697680153", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461906Z", "creation_date": "2026-03-23T11:45:30.461909Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461918Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ece76b79feafb38ae4371e104b6dcbb4253ff3b2acbe5bd14ce6e47525c24f4a", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7966a510-817b-5d16-8e0e-dd52c567a236", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477026Z", "creation_date": "2026-03-23T11:45:30.477029Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477038Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a1b56ae08d822bb5d041c2a67584371ffddcb7f6d69191efec5b8189e0028331", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "796f755b-1889-544c-b4f6-b822c5beaf3a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982730Z", "creation_date": "2026-03-23T11:45:29.982732Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982738Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a84bec9cf836c3abdc0f99e389c72041b6c2b1ba2921d272436e2b8a9b98afb1", "comment": "Vulnerable Kernel Driver (aka d4.sys) [https://www.loldrivers.io/drivers/c2e70ee6-2f13-4d43-ad5a-c2bf033cc457/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7975ddd7-dd13-5557-ab6b-169625ce1219", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972178Z", "creation_date": "2026-03-23T11:45:29.972180Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972185Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c21e7ce6ef61ee173e11104252c8d9a22a976f5dd61c83c2f54f363e67feee93", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "798055c0-66ae-54bd-bc3c-1858f90ba9db", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494867Z", "creation_date": "2026-03-23T11:45:31.494887Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494893Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "165b01284ea23d63d615859002fa9d212fea61cffe9094deba8dc55ae40f177d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "79820787-2b97-5e4a-91e0-d2f89ef29a7f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614753Z", "creation_date": "2026-03-23T11:45:29.614755Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614760Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "98b734dda78c16ebcaa4afeb31007926542b63b2f163b2f733fa0d00dbb344d8", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7986f81c-f3e2-5314-9493-c9006a7d2be8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617661Z", "creation_date": "2026-03-23T11:45:29.617663Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617668Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fb19f241ddae74ec4a0f87dff025ec68dc809f9dd883649c0e58822de28e6f1b", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "798f0449-f4be-577e-9c39-aacac3c3c61d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476789Z", "creation_date": "2026-03-23T11:45:31.476793Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476802Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "87e396f5825bce67a694ab32e41c99e40312598edc6889a7c7f31c9f6414e4c4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "799130e4-3639-5ecf-a992-df7a3cfe26ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817793Z", "creation_date": "2026-03-23T11:45:30.817796Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817804Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "51859571d807d984e4f1cf145d5d74491feabd19327309c2c598c496a1976c70", "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "79a8e591-6acc-5c03-b18c-7a06f15f2538", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979929Z", "creation_date": "2026-03-23T11:45:29.979931Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979937Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "66d59e646f3965bc5225eca4285ae65f34b8681fb1bee3eaf440f6795b2fa70f", "comment": "Vulnerable Kernel Driver (aka FairplayKD.sys) [https://www.loldrivers.io/drivers/31686f0e-3748-48c2-be09-fc8f3252e780/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "79b143dc-4f06-554a-ab7c-b68fe01a84db", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807465Z", "creation_date": "2026-03-23T11:45:31.807467Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807473Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0202d1edcd86145beb45be24f2af3d5b5652c28a6eef80b8518bee2df31bd347", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "79b2dac3-68ce-5168-89fc-a3423e0df862", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484783Z", "creation_date": "2026-03-23T11:45:31.484787Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484797Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4eaed32c4a725c43c3f5b5666a3c5d24fc89b435cf3d2388fdd37e856902204b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "79b8790b-36e6-5f62-b401-4604bc093ae2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621967Z", "creation_date": "2026-03-23T11:45:29.621969Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621975Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9512115b60e67fa268a7463119add2404150842bb3dffa41124b12dd9cb580a2", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "79e848a9-6f06-5653-b5ee-49ee2ebc6b8d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608544Z", "creation_date": "2026-03-23T11:45:29.608546Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608552Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cfb7af8ac67a379e7869289aeee21837c448ea6f8ab6c93988e7aa423653bd40", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "79fbe06e-e59b-566f-b9cc-b21f65750e9d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830517Z", "creation_date": "2026-03-23T11:45:31.830519Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830524Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9165d4f3036919a96b86d24b64d75d692802c7513f2b3054b20be40c212240a5", "comment": "Vulnerable Rentdrv2 Driver (aka rentdrv2_x32.sys and rentdrv_x64.sys) [https://github.com/keowu/BadRentdrv2, https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "79fd5c59-21fa-5d10-aa23-d747f2cf98b0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497781Z", "creation_date": "2026-03-23T11:45:31.497784Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497793Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "607eeb68431468850b48f805deedd5d28c9f46db4f830f7478f583ce00104c1d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "79fd87d2-d887-522e-b7f5-ceb2188cbf48", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160082Z", "creation_date": "2026-03-23T11:45:31.160084Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160090Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "622a4e536379a8ce8b2952d62e648ed38a5a4671073d135cfd845d1e6c2dbe32", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7a139dcf-c09d-5828-b8b7-1d635b6e9d6a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811257Z", "creation_date": "2026-03-23T11:45:31.811259Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811264Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "52f99c59a2b6435be245ef03c7df4567e414791f4eb85e42b89c9a884fba3a1f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7a22d28d-ab8e-5f10-897d-d54e7f1eec70", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831163Z", "creation_date": "2026-03-23T11:45:30.831165Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831170Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "74676ad031b03d26fac1425c1328262abed379ded73983efccea71668058633c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7a235aae-3d58-50ac-8237-cf29539344cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830411Z", "creation_date": "2026-03-23T11:45:31.830413Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830418Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c60f7f3d1a2ffb80baee5f29cc13b435162f15b21c5d643276f1a9d2dde83b03", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7a433bab-94d6-59e5-b664-cb5c67d248d8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827293Z", "creation_date": "2026-03-23T11:45:31.827295Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827301Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a6b7001bad1770540f04ccd63933e231d9f4739d61bf2cc2c6a5080f954f9296", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7a46c618-76aa-59cf-9fe5-568e708df909", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820248Z", "creation_date": "2026-03-23T11:45:30.820250Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820256Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cec5964d7e32c52439d5eb660fa97827b619a7da9f3264f0c9fa4b69e3cb7cc1", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7a4a17d4-8003-5f15-b448-a344e42ba920", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614161Z", "creation_date": "2026-03-23T11:45:29.614163Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614168Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2270a8144dabaf159c2888519b11b61e5e13acdaa997820c09798137bded3dd6", "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7a7c4c2f-ae12-566a-95ae-7b4d8f316613", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815509Z", "creation_date": "2026-03-23T11:45:31.815511Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815516Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f118bf09da64c4e9e5ed719cb23bde8f7b689c9ee32522f936c86f9d12ccdf64", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7a87140d-b469-54cb-90cf-626ccdd71509", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622474Z", "creation_date": "2026-03-23T11:45:29.622476Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622481Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7dfc2eb033d2e090540860b8853036f40736d02bd22099ff6cf665a90be659cd", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7a9c31a7-a09c-5135-8aa1-1f2af39446e9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458494Z", "creation_date": "2026-03-23T11:45:30.458497Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458505Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c21b7065cb961127ab9e2a0251ab8d50cfd65369a41e88e36bc2908af2b1d8d", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7aac41e8-e037-55f1-9603-a098eb1db07d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985915Z", "creation_date": "2026-03-23T11:45:29.985918Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985923Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "82b0e1d7a27b67f0e6dc39dc41e880bdaef5d1f69fcec38e08da2ed78e805ef9", "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ab3fe55-b159-54b1-b78b-d458de4410cc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476532Z", "creation_date": "2026-03-23T11:45:31.476536Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476546Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "580560d9a5e1122524037da3faaedc5590ee08ad64a0134dcf735cd1d4754c0d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ac080d9-e10f-5e4d-bba2-d81891018bf9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976101Z", "creation_date": "2026-03-23T11:45:29.976103Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976108Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "09934191a9af0ab2fb1dd47a1d0e0c7c3537b53286828ffaf361d0eeac045ccb", "comment": "SystemInformer driver (aka systeminformer.sys, formerly known as kprocesshacker.sys) [https://github.com/winsiderss/systeminformer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ac9ceff-40fd-5cff-8673-32431232cc31", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980900Z", "creation_date": "2026-03-23T11:45:29.980902Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980907Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c8ff7c9f510f7a2ed88d9b336d8c9339698d5e1ee14bfb91aa89703ec06dce42", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ad00c41-a229-591d-8c96-181726e4d1cb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984858Z", "creation_date": "2026-03-23T11:45:29.984860Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984866Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0040153302b88bee27eb4f1eca6855039e1a057370f5e8c615724fa5215bada3", "comment": "Dangerous Physmem Kernel Driver (aka BS_Def64.Sys) [https://www.loldrivers.io/drivers/4a80da66-f8f1-4af9-ba56-696cfe6c1e10/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ad1aac4-dfb5-5d05-a172-0ff4f1097783", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143576Z", "creation_date": "2026-03-23T11:45:32.143578Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143584Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f8d45fa03f56e2ea14920b902856666b8d44f1f1b16644baf8c1ae9a61851fb6", "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ad1d438-bddc-5c68-9a7b-aab0db6f0994", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146154Z", "creation_date": "2026-03-23T11:45:32.146157Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146162Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "65205e494d01e07c27da9a623ee5edad33dbcedc755ef5155b19cb2e908cf185", "comment": "Malicious Kernel Driver (aka driver_a6deeea6.sys) [https://www.loldrivers.io/drivers/f694c0e1-b75d-4c41-acbd-a87b72d8abe4/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ad2d8b8-faf4-5dd8-816b-d36d4cf3c534", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485071Z", "creation_date": "2026-03-23T11:45:31.485074Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485084Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "193bcdc0b0107f36cb04123b1f0775905b5f632b5dd1efcddfbc3ebb53953f7c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ad771c4-5e40-5093-8c05-59f0142279bc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621703Z", "creation_date": "2026-03-23T11:45:29.621705Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621711Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "506f953bbb285aeb8af0549eb24f52f3b7af36afe740afa36735bac70573ce28", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ae5948e-9aac-507b-a2f9-ac56fc445743", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820320Z", "creation_date": "2026-03-23T11:45:30.820322Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820327Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff322cd0cc30976f9dbdb7a3681529aeab0de7b7f5c5763362b02c15da9657a1", "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7af5594d-4d91-580a-a1e6-5b5984bef814", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612249Z", "creation_date": "2026-03-23T11:45:29.612251Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612256Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aac86a3143de3e18dea6eab813b285da0718e9fb6bc0bbb46c6e7638476061d8", "comment": "Vulnerable Kernel Driver (aka mhyprot3.sys) [https://www.loldrivers.io/drivers/2aa003cd-5f36-46a6-ae3d-f5afc2c8baa3/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7b04bc1c-8ffe-5005-8c15-126167301243", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819655Z", "creation_date": "2026-03-23T11:45:30.819657Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819663Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b2364c3cf230648dad30952701aef90acfc9891541c7e154e30c9750da213ed1", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7b1b0d08-d4b7-532a-8718-493cb90ab7c0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974126Z", "creation_date": "2026-03-23T11:45:29.974128Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974133Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ed2f33452ec32830ffef2d5dc832985db9600c306ed890c47f3f33ccbb335c39", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7b279ba1-ed75-5bcc-b5de-6bed9968da5e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454506Z", "creation_date": "2026-03-23T11:45:30.454510Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454518Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1b948219fd5d424f15ed9b5c7058d09b9559a14245b9bda5e805f9a8e5acecd1", "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7b2dfad3-782c-5d0b-87da-32fbc642bfc6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609393Z", "creation_date": "2026-03-23T11:45:29.609395Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609401Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "34da66774ba09c4a8fc59349401ca1fefaaf4e66a9c620c7782c072a16089ba3", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7b44becc-73a2-5778-a56c-2bed822ab2cb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823051Z", "creation_date": "2026-03-23T11:45:30.823054Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823059Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae71f40f06edda422efcd16f3a48f5b795b34dd6d9bb19c9c8f2e083f0850eb7", "comment": "Vulnerable Kernel Driver (aka FH-EtherCAT_DIO.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7b47358d-1fac-52bd-bc0d-51e6027f914b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810912Z", "creation_date": "2026-03-23T11:45:31.810914Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810919Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7c3bdaec45bf06af38d31ed418d39eae539fd52f17003e563b3b838888f9f826", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7b4d2daf-1d2a-5d51-b39b-b81c8aedc4bb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147673Z", "creation_date": "2026-03-23T11:45:31.147675Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147681Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "07261cf107fc56e6fd2849de2f000ef8540117f2da87a37bfd96ea71c08826aa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7b4ea073-a01f-571a-946a-6064234f66c8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490696Z", "creation_date": "2026-03-23T11:45:31.490698Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490703Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "05f63faf0945bb537ddc7ea671a0df2f5c1eff90a33c20dcbc5eb206b00a848d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7b542c21-c392-5b7e-a39a-46849e297afb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829447Z", "creation_date": "2026-03-23T11:45:30.829449Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829455Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b29557159b2e112e50c26cb33c815cf842f61ee0a4f690c87a51641d67711531", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7b614eee-e86b-58b6-9c69-42948b8f2950", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974349Z", "creation_date": "2026-03-23T11:45:29.974351Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974357Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b08743c8e1de8343ab0a0d453ca76487c6a438608c68c2b2921ea2c2a92821c", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7b63620a-4b55-56c5-a7ef-384eb22b9a82", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460040Z", "creation_date": "2026-03-23T11:45:30.460044Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460053Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ad215185dc833c54d523350ef3dbc10b3357a88fc4dde00281d9af81ea0764d5", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7b656e61-0e2b-5e1d-966f-6d0665acd09f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145605Z", "creation_date": "2026-03-23T11:45:31.145607Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145613Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "995ffff831e9b9135012eabc66a5fc24034b00e6b9f09c722de8991e0e6e63c0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7b6638e5-4d18-5495-8dbe-19eec173d358", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975656Z", "creation_date": "2026-03-23T11:45:29.975657Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975663Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "904e0f7d485a98e8497d5ec6dd6e6e1cf0b8d8e067fb64a9e09790af3c8c9d5a", "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7b6de935-0ce6-5c99-aaf0-b75a731f56d7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477005Z", "creation_date": "2026-03-23T11:45:31.477008Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477017Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c8caaf6e9de9ad63ff4a4443c39a7e690f3682ed31c1c8a5f0e6598abf023fe4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7b84fa70-a485-5c8c-b90b-408476669e4c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971150Z", "creation_date": "2026-03-23T11:45:29.971153Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971161Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "77586c3968ec72ad19fa7098c9da27b0677e45220812eaab197075f4175e8cc6", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7b8b3458-2975-5dd8-9a0a-2a384b30ea65", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144428Z", "creation_date": "2026-03-23T11:45:31.144430Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144436Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "07389bfd37f19dc970fe04ecad830eca1a85dfe47336f35ad29051c40f207c44", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7b9aaba3-bb19-5b58-a839-93119c24a75e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830077Z", "creation_date": "2026-03-23T11:45:30.830079Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830085Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b5711def9267bbc6ece42f46e3c313e3e89d3693bc75545fa7622513b2921325", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7b9d100c-776a-5d74-ae09-4d412883d99b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144633Z", "creation_date": "2026-03-23T11:45:32.144635Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144641Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "099ef4915d7899be543d891b48960c1d1604c55468c1377a6f71ce0e1a33c946", "comment": "Malicious Kernel Driver (aka driver_099ef491.sys) [https://www.loldrivers.io/drivers/2ba1bccf-d8d7-464a-9ae1-41371c55e5e8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ba36510-e951-56e3-a01f-3c20770215ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149354Z", "creation_date": "2026-03-23T11:45:31.149356Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149361Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "42eda58539cf9fe8cdf7ecca8b15e09f43ba54d30bb105d0dc45814bfc6495a8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ba38b3b-9fc0-589b-b36e-523c78d73de9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474814Z", "creation_date": "2026-03-23T11:45:31.474818Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474828Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c80868601bc7d351f0739bfa5080bec3a3796e6414e7ceb14238e1f6a5adad52", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ba58b9d-a747-561c-b4c1-9338d25425ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984052Z", "creation_date": "2026-03-23T11:45:29.984055Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984060Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a82d08ef67bdfccf0a2cf6d507c9fbb6ac42bd74bf2ade46ec07fe253deb6573", "comment": "Vulnerable Kernel Driver (aka SysInfo.sys) [https://www.loldrivers.io/drivers/84ccb68d-ce34-4aa2-98d5-7f473c2e1b07/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ba98854-e81b-5732-9a0a-58bacc59d156", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487125Z", "creation_date": "2026-03-23T11:45:31.487127Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487132Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "20cf6c47a4f35f5b1d23f726323ea9de093dc6c76b8f83950fdf71802e51a5e0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7bc4d7bf-3147-5613-9468-b34104232fb0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145990Z", "creation_date": "2026-03-23T11:45:32.145992Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145998Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0a6366066bc6003f347eadc6fe6c8994fded09fb7d5d24d0ddac3936ae1437a7", "comment": "Malicious Kernel Driver (aka driver_0a636606.sys) [https://www.loldrivers.io/drivers/82087b26-b649-4ad1-a353-3a225c757ff7/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7bcb2eaa-9dd8-5570-845d-2d5dd351906d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492408Z", "creation_date": "2026-03-23T11:45:31.492410Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492419Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "316bbde0484b82f35e1169104a7f155bc363aca7a511e9e117a14a4b6960fc61", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7bf437bf-ea92-525d-88ed-cb6f07d0b596", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481679Z", "creation_date": "2026-03-23T11:45:31.481683Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481692Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "792b70d8d3c67791e524a699461526a17f79bddc4a6b2f3753373fcc44b20cca", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7bff1a91-091f-582c-b6e6-6aa1f1c2865c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615520Z", "creation_date": "2026-03-23T11:45:29.615522Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615527Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "98f5cb928827e8dadc79c1be4f27f67755dbeb802c3485af9cace78b9eb65c59", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7bffff0f-b5ae-5058-abb5-ff66b6f478c1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499957Z", "creation_date": "2026-03-23T11:45:31.499960Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499969Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ecdde68b3e543dee38dcccf9be2e180ffdb0feab69cc3ccb4e0b97f81cd14f51", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c00cebd-5b5d-5844-b36e-8e9f50ed21d9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605340Z", "creation_date": "2026-03-23T11:45:29.605342Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605348Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "041604b952fd390eb6f23008ed2cb30dff4155d8854561719467b07ccf48702b", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c05d8d5-c3dd-54f4-bb12-0a3336ad0301", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607147Z", "creation_date": "2026-03-23T11:45:29.607149Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607154Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5", "comment": "Dell vulnerable driver (aka dbutil_2_3.sys) [CVE-2021-21551] [https://github.com/SpikySabra/Kernel-Cactus] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c088a97-8e38-52c0-a0d6-de5ac4bd0efe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830446Z", "creation_date": "2026-03-23T11:45:31.830448Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830454Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "01e8b9d3ab61de6d120ea4f99e362533a297c929519f7c4c3df06e707f52958d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c09e0af-0d08-5e83-99d4-f4b9dea813a7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973112Z", "creation_date": "2026-03-23T11:45:29.973114Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973120Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f276197c07995a51ab703f1c96bb9fc45db244c0c5ef8a2d160c6db6f3e38947", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c0a3c6d-4f3b-5b50-84a5-33cbb7946bc7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147500Z", "creation_date": "2026-03-23T11:45:31.147502Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147508Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9f444505502eaf2f1c0ef864b5e24f86d38a3c443244463eb003718eab66f35d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c11dc99-ca07-50ed-8a7e-3ea7ae89a69d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826066Z", "creation_date": "2026-03-23T11:45:31.826068Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826074Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd2a2a3ce64c455ade0980cc9c5100593f27b6ecdda33bba51884412f011bdb8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c124c64-059e-5c55-b584-e4bbe08dc6b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615867Z", "creation_date": "2026-03-23T11:45:29.615880Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615885Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2018ad5f3695295599f756caf556722291485cd67eb9c3f7ec701b206cca4e00", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c1695f6-5324-5704-ba5e-1e5964685563", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830205Z", "creation_date": "2026-03-23T11:45:30.830207Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830212Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "39665ac910c4ed6526bc92452d231f752289db6dc324de6c4ba6e8693bf15f00", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c19ecb4-9bff-53b8-b119-28d42709d3c8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968221Z", "creation_date": "2026-03-23T11:45:29.968223Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968228Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "38c18db050b0b2b07f657c03db1c9595febae0319c746c3eede677e21cd238b0", "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c1de419-13c2-52db-bf7f-034f1e538aea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832986Z", "creation_date": "2026-03-23T11:45:30.832989Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832997Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "45298a81ff6b22e7f578f939559bac22a9ed907e0e64550a623903de6ecec98e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c1fb99f-5a5c-5654-9f6a-4619a0313abc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836029Z", "creation_date": "2026-03-23T11:45:30.836031Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836037Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "674a250422906f220f76af3631cf093ea1db13b47401f0f0cd66c484186829c2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c27d188-6bb8-5537-b22c-f75383a2d319", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461211Z", "creation_date": "2026-03-23T11:45:30.461214Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461223Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "af10796af9886b896de11d9067ed2b1569e48e0a5a8cacbc06bc50a533d8bec8", "comment": "Vulnerable Kernel Driver (aka sfdrvx32.sys) [https://www.loldrivers.io/drivers/6c0c60f0-895d-428a-a8ae-e10390bceb12/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c29ae6f-588d-5484-b6d7-73e40ba1f4d9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616496Z", "creation_date": "2026-03-23T11:45:29.616499Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616507Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fda506e2aa85dc41a4cbc23d3ecc71ab34e06f1def736e58862dc449acbc2330", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c37fe24-c1ed-530c-aa17-90d2a263e0b9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159943Z", "creation_date": "2026-03-23T11:45:31.159952Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159961Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "61401cb144607a6d805877ef659049461afc2376351011206b34216d743dce63", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c3b76f4-4456-5169-8852-bdc4b34182d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823088Z", "creation_date": "2026-03-23T11:45:30.823090Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823096Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5e7b92e6a1f656a70ed56ef2a190fce6bb3f12063b891fbfd722ca4e951de15f", "comment": "Vulnerable Kernel Driver (aka FH-EtherCAT_DIO.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c43c7e1-90a7-5a28-8033-7075f6503569", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.471963Z", "creation_date": "2026-03-23T11:45:31.471966Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.471974Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8ab9c0033fe779dba2bf6f906ab9efff7ae2ba6c89616b8a4529c9e74bf7a388", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c5d9dc9-affa-5db5-bfa8-fbd0cf5488fa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498759Z", "creation_date": "2026-03-23T11:45:31.498761Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498766Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4888e5bb988e9b5058dfe0231c2ceb7a2312a24a8451b1171a45941ff82f41d6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c6346cd-6873-5155-9a29-9b96ef8fd4bb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809236Z", "creation_date": "2026-03-23T11:45:31.809239Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809248Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "857e860762ee61ba6c1830fe0535c2c252e41facfba7237afc32def9a5338257", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c70c1ba-d5cb-57db-8b8b-719fa836280e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979481Z", "creation_date": "2026-03-23T11:45:29.979483Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979489Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c72b120-df7a-56cc-8d96-efe81acea998", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610014Z", "creation_date": "2026-03-23T11:45:29.610016Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610022Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "253ed7f5c7115e957dfdb1f5c6c51592b491a70b27787903c8fd848e45b9cf22", "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c73769b-76b1-58fc-836f-3d4257efc14b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807310Z", "creation_date": "2026-03-23T11:45:31.807312Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807318Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "db4acfc49be21a6fa503473ab2fd5573660f9c426f57de54f99c1b69ab634d42", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c839334-c76e-57f0-b0e6-59d085100b28", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812674Z", "creation_date": "2026-03-23T11:45:31.812678Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812687Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4610c4d17ba378f06dd4fe2ad8be4d9c49c5a27185fe36b29afc9f9c39330df0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c855a93-006c-5a14-86cb-3feb502b6bef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833810Z", "creation_date": "2026-03-23T11:45:30.833813Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833822Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d373400b4c6093dc6c06d5228d6f5419d16e1084c7ee2748e867e8acfc36e635", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c8cb881-f36d-57f8-bb4e-e8a471aaeb89", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498119Z", "creation_date": "2026-03-23T11:45:31.498123Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498130Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "34c7a941c54c83fd0a9656918315d4544ecfba933e18d30d1aeef8ae634ec8e4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c8dba25-79ab-5b2b-8c9d-7c5a80e20caa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477931Z", "creation_date": "2026-03-23T11:45:31.477935Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477945Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2dee1a21f277a107ad0f8e76e42cbd255e529f87bb1b16d64bd79771a7270ed4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c915589-86f6-50a7-a39f-f3cae1dc435e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823608Z", "creation_date": "2026-03-23T11:45:30.823610Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823616Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c3552940a50d22dd481c5b5cc5f76b98cf57bae05741a813647f88d84a9a48b5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c934d41-eb80-5e55-bbaf-5d6546a15fc8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463042Z", "creation_date": "2026-03-23T11:45:30.463045Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463054Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2da2b883e48e929f5365480d487590957d9e6582cc6da2c0b42699ba85e54fe2", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c939e3f-0d92-5a3d-b40d-d1d29d972fd7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979995Z", "creation_date": "2026-03-23T11:45:29.979997Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980002Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e4a7da2cf59a4a21fc42b611df1d59cae75051925a7ddf42bf216cc1a026eadb", "comment": "Vulnerable Kernel Driver (aka Monitor_win10_x64.sys) [https://www.loldrivers.io/drivers/ca415ed5-b611-4840-bfb2-6e1eacac33d1/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c9aa0e8-808f-5103-b7f5-f0774686e9e9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973827Z", "creation_date": "2026-03-23T11:45:29.973829Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973834Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "89108a15f009b285db4ef94250b889d5b11b96b4aa7b190784a6d1396e893e10", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7c9b1b13-14f1-5199-b92b-db5d1d503e11", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463526Z", "creation_date": "2026-03-23T11:45:30.463531Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463540Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a78c9871da09fab21aec9b88a4e880f81ecb1ed0fa941f31cc2f041067e8e972", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ca3fb71-5f7f-5b73-bf66-91372bf455ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142593Z", "creation_date": "2026-03-23T11:45:31.142595Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142601Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ac916d75cd309ea2f40e7a75c645a52e5f1fc39827605b05f4968dcd2b059ab3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7cab0cb2-a8d0-552a-9d2b-1e76d389454b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148916Z", "creation_date": "2026-03-23T11:45:31.148919Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148924Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "39b976b15968a825cb241307a47dfd03cd263c2d6dc583741c8937264b0dfa1f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7cb2016b-cba2-5145-944f-c88293c178c0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481623Z", "creation_date": "2026-03-23T11:45:30.481624Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481630Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a2dee316cd07963c2eb7ebb1b4189eca78786c835aaafeb6467b37c1353d821a", "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7cb5907d-8057-51af-8865-016f2192220d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825277Z", "creation_date": "2026-03-23T11:45:31.825281Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825291Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b3c82a363f5f4cd33100619977fa030b40aecf139145534649fb9855a94d06c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7cb77c52-f623-57cc-9479-8dd7acf979d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481731Z", "creation_date": "2026-03-23T11:45:30.481733Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481738Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19595c3de596f8b705eef1b135768d3051305698ceed083401f8acfba4bd5393", "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7cb948a1-79ee-56b4-b7e7-e09f8e14b1e9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975060Z", "creation_date": "2026-03-23T11:45:29.975062Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975067Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c5251d84f6dab1327b2f1ea0c5ccbe4b2790ae6eda0e20aa9d9acfc01e427fd9", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7cbdb0de-3ff9-56a5-85ca-6f599768f2c0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481586Z", "creation_date": "2026-03-23T11:45:30.481588Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481594Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eae5c993b250dcc5fee01deeb30045b0e5ee7cf9306ef6edd8c58e4dc743a8ed", "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ccc0042-e2fc-5016-8335-37ae8532ebdc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468047Z", "creation_date": "2026-03-23T11:45:30.468050Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468060Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae55720475ab1c67e39720954111b90e96a5ebf5d3b91277f4c225a228d8739a", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7cfe9c60-6ac5-5f72-b2cc-9ac94046baa2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829827Z", "creation_date": "2026-03-23T11:45:30.829829Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829835Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "75e07a123051d99caaf198834ee18164a005ff750eca127839d281f7bc5c1d30", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7d070e9d-39e2-5be5-9473-114a40c06509", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160970Z", "creation_date": "2026-03-23T11:45:31.160972Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160978Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bfb8abda2a0a39017307430131556ef48bf1183347aa91706a3e70f32c1531a3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7d0a2afd-8630-5d39-8f6f-21e6146c092c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826788Z", "creation_date": "2026-03-23T11:45:31.826792Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826800Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c85a3607f666212d7f6e5891d9c4b4f69d4c2b82dcfa1c3152922e3d2cf3fe5c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7d13ba3c-6bd0-5b71-9760-0ca574aef54e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822501Z", "creation_date": "2026-03-23T11:45:30.822505Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822513Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "72805e13777a39b440ef381720c0491e6091f9cb6c7b387be33ca5491fcfbfbd", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7d16a9ea-b998-5a4e-83bc-a7acc28f9eec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972825Z", "creation_date": "2026-03-23T11:45:29.972827Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972832Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b59ad4a1f71f8379c89fc3bc1d2827b0785bbb0192b43549034f24a133eea3a5", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7d325d2e-c61f-5a22-9016-f0e27001bd37", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824295Z", "creation_date": "2026-03-23T11:45:31.824298Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824306Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0172627836f81e21554aa9c917dd609475a636e6a3a7365a327c394d4c682f92", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7d3392fd-c8ff-5126-8192-78ae2d05bac8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817022Z", "creation_date": "2026-03-23T11:45:31.817024Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817030Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "82ba478ac307f29eebe91ad48c821b1a81ddfd87ec76eb3fe551fa489835f8f4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7d3a708a-ea4b-5ef2-bf2d-6e25f3c59a74", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609754Z", "creation_date": "2026-03-23T11:45:29.609755Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609761Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fb81b5f8bf69637dbdf050181499088a67d24577587bc520de94b5ee8996240f", "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7d3dc74e-e503-52ac-8159-4c787bb48319", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143272Z", "creation_date": "2026-03-23T11:45:31.143274Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143280Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bff9f1531b378513d6385955fd17d213dbf896603d25a0609a5127b3a8010241", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7d43b8ed-1ee6-59d9-adb0-a138a7b736b5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979099Z", "creation_date": "2026-03-23T11:45:29.979101Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979106Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fe14940b5d3068b7ceffd28a529196811f1d0e175522f4dfab26573e7aca0bb4", "comment": "Vulnerable Kernel Driver (aka LHA.sys) [https://www.loldrivers.io/drivers/eb07ef7e-0402-48eb-8e06-8fb76eda5b84/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7d4c6820-c1ca-5492-b9be-e97cb506eee6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.147077Z", "creation_date": "2026-03-23T11:45:32.147079Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.147084Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cf24c69123d4a72445547f7b5ad6738fb47f2d3fab06e3d628b7278113a63ae0", "comment": "Vulnerable Kernel Driver (aka NSecKrnl.sys) [https://x.com/anylink20240604/status/1967181190949228608] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7d665525-3db8-5c64-aeb7-c5416ed48fe9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481994Z", "creation_date": "2026-03-23T11:45:31.481998Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482008Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0795d8e203efeb47f37bbea4b99010253c1f5ada10e7f5fc23557ae2cd03e528", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7d694239-05f9-558f-aa96-f72a3881a606", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143342Z", "creation_date": "2026-03-23T11:45:31.143344Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143350Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4503df4f3d32a5029e7029d76ea60648959278efb0fdf7ad480955a40e1b4540", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7d7045e6-3bb5-56e5-84c8-c3793242b87d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619320Z", "creation_date": "2026-03-23T11:45:29.619322Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619327Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "caa85c44eb511377ea7426ff10df00a701c07ffb384eef8287636a4bca0b53ab", "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7d838449-d69d-56d0-a7e7-5ed798b4e617", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822000Z", "creation_date": "2026-03-23T11:45:30.822002Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822008Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e160fc9d1990bc1e7ffa556d6ada19db0d2c5c7aeb23a491704b37854a666480", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7d8b34c5-82a9-588f-bb50-5b30109c0c19", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825819Z", "creation_date": "2026-03-23T11:45:31.825821Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825826Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "965ed1c794e002a00da89938e099bb53c0693cef8bc6530052ac61108c21900a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7dbd6a2f-e967-5da6-863d-41cdbe298369", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454298Z", "creation_date": "2026-03-23T11:45:30.454302Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454311Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d", "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7dc38898-5a40-51dc-9035-5ea6a62c5420", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978633Z", "creation_date": "2026-03-23T11:45:29.978635Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978640Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "be54f7279e69fb7651f98e91d24069dbc7c4c67e65850e486622ccbdc44d9a57", "comment": "Vulnerable Kernel Driver (aka magdrvamd64.sys) [https://www.loldrivers.io/drivers/cfd36b2e-cf96-498e-aeb6-ee20e7b33bbb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7dc8d590-c1a7-5b3b-9515-b608eccbc409", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616077Z", "creation_date": "2026-03-23T11:45:29.616079Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616085Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "316a27e2bdb86222bc7c8af4e5472166b02aec7f3f526901ce939094e5861f6d", "comment": "Phoenix Tech. vulnerable BIOS update tool (aka PhlashNT.sys and WinFlash64.sys) [https://www.loldrivers.io/drivers/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7dcdb755-a0e3-5213-93bb-67ad3d6b84dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608527Z", "creation_date": "2026-03-23T11:45:29.608529Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608534Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c8940e2e9b069ec94f9f711150b313b437f8429f78d522810601b6ee8b52bada", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ddadf89-ac9a-5f86-a52c-a16d9e02a4ed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817470Z", "creation_date": "2026-03-23T11:45:30.817472Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817477Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5640179b9cffc3517d322ac2c0bc1258b563f65ebb1b67eb22ecf7f3a0500c7d", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7de1a559-ffe7-542b-a95f-d7ecc61b53f7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474993Z", "creation_date": "2026-03-23T11:45:31.474997Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475008Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c3322c0acfc5059a56a43d3ba4aec5e50fd33e4cbecde61886870d35ca713770", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7de728fc-c055-52c3-a077-08a6352d0235", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494583Z", "creation_date": "2026-03-23T11:45:31.494585Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494590Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "936cd8d5a9631f699f6ea47aee9bb2830f8e5d344a5cbc9a5406849f8c76590b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ded9750-04c4-5131-a855-6e5f266b5654", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619072Z", "creation_date": "2026-03-23T11:45:29.619074Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619079Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d510b3424178f80cbe926217d74bbecbf682a88f1b6052ef27fd27d601fc14f7", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7df869e0-2205-5e7c-ad6c-234f90b32ac3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452569Z", "creation_date": "2026-03-23T11:45:30.452572Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452580Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8922be14c657e603179f1dd94dc32de7c99d2268ac92d429c4fdda7396c32e50", "comment": "Malicious Kernel Driver (aka 1fc7aeeff3ab19004d2e53eae8160ab1.sys) [https://www.loldrivers.io/drivers/aaf8ce1a-e11b-4929-96e0-5ec0666cef2c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7df95a3f-034d-5650-87d4-186b63cfa41f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823088Z", "creation_date": "2026-03-23T11:45:31.823090Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823096Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f3bb5f551e507edc3acf10dc6256330d9346ba8507835d4d3c502a14910d36ea", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e1ae96f-aadd-50c8-a0c3-250ab5d41ee0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498522Z", "creation_date": "2026-03-23T11:45:31.498525Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498534Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "336fa6004c339b5febea9dac960d794a61c34fdcecf4df8674126e3fe7325020", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e1e08a7-fb2b-5dba-a718-41b2ce4314a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607508Z", "creation_date": "2026-03-23T11:45:29.607510Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607515Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "13aa698c09a31d642d3e2a9dd03be2363b11b4024689fb6c97234719446dbbd7", "comment": "Vulnerable Kernel Driver (aka PanIOx64.sys) [https://www.loldrivers.io/drivers/93c84c08-4683-493d-abf7-22dc2d1cb567/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e1f2249-2ebd-523d-90a5-640892468946", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142910Z", "creation_date": "2026-03-23T11:45:31.142912Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142917Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8f4cde6f97420602f31c1bc9aa72a57a46c27ebc37dd412f0aed74cc9e0d1e46", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e288d1a-4c39-5197-9455-197035923ecb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616347Z", "creation_date": "2026-03-23T11:45:29.616349Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616354Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e32d87e-1736-5624-b849-516bc7e81490", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975024Z", "creation_date": "2026-03-23T11:45:29.975026Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975032Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ef0dbc4c4735f30e96e16375b18c2f5fa58e15ef60d17786e39e616a4438e264", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e35bd3e-2d1b-5cb5-8803-2e60722dbbf3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829487Z", "creation_date": "2026-03-23T11:45:31.829489Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829495Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "39af2d3c5bd48f671489db694c1dd7be6dc00165ec687f27f53ce95e7cb2fc29", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e3a3cf0-ae6b-5c4c-b790-d1e8fbb8c8ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968040Z", "creation_date": "2026-03-23T11:45:29.968042Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968048Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8fb3d3db095920345cafc55821598b4f46f8d756caf2f18016e331e5567e6a41", "comment": "Projector Rootkit malicious drivers (aka KB_VRX_deviced.sys) [https://twitter.com/struppigel/status/1551503748601729025] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e3bd893-fdf3-519f-ba35-55ad7518ca9f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499001Z", "creation_date": "2026-03-23T11:45:31.499004Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499012Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2600f0baa96e447adb3469e95ddbd8bc103c9ae9ee2ed123007873070fb545c7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e41d856-0158-5e56-be83-8d566d129170", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618339Z", "creation_date": "2026-03-23T11:45:29.618341Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618346Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eef68fdc5df91660410fb9bed005ed08c258c44d66349192faf5bb5f09f5fa90", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e43783f-f0fb-5a31-93ff-9c8be54f89ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.471626Z", "creation_date": "2026-03-23T11:45:31.471629Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.471638Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fe3256ba26e1b2b60ab1e4fd61196a8fc4a341b2eef7ff9582590c27b682f439", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e44ed3d-6027-5b0a-b1d5-b129ff708b72", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816602Z", "creation_date": "2026-03-23T11:45:31.816606Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816614Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8159cd1a161eb79c7e2ae361dbbfa24f4b8a30c64679b4b1618acd2f0225d126", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e452da1-6856-58fd-8d1d-6715c6d74516", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817506Z", "creation_date": "2026-03-23T11:45:30.817508Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817513Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2288c418ddadd5a1db4e58c118d8455b01fd33728664408ce23b9346ae0ca057", "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e4ac328-0684-5a4c-a0a6-176ff72bfc5b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821786Z", "creation_date": "2026-03-23T11:45:30.821790Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821798Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "182bbdb9ecd3932e0f0c986b779c2b2b3997a7ca9375caa2ec59b4b08f4e9714", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e597db8-a91a-5341-a859-e143a8ecd618", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811399Z", "creation_date": "2026-03-23T11:45:31.811401Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811407Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1209cbe84d04f0c752cf1dcf4ab861a4563272f939fbd2cbf8b83ac5a2901597", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e62efd7-d2a1-5e88-945a-fff000326685", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810309Z", "creation_date": "2026-03-23T11:45:31.810311Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810316Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4e09d1f618b48463045f84d6c5998ef060edfd07ff83fa8d44d136ca01a7dcae", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e69fc38-b6ed-5075-aed7-369b17f69fb3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.142688Z", "creation_date": "2026-03-23T11:45:32.142690Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.142696Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "97ba73eea08c19478189d5c07b48c250a68cd7652517ba8b2633e8c2d1ee2b4c", "comment": "Vulnerable IKARUS anti.virus Driver (aka ntguard.sys and ntguard_x64.sys) [https://www.greyhathacker.net/?p=995, https://www.exploit-db.com/exploits/43139] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e6b3436-7b54-5904-a761-56c3827153f7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982695Z", "creation_date": "2026-03-23T11:45:29.982697Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982703Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "727e8ba66a8ff07bdc778eacb463b65f2d7167a6616ca2f259ea32571cacf8af", "comment": "Vulnerable Kernel Driver (aka AsrSetupDrv103.sys) [https://www.loldrivers.io/drivers/19003e00-d42d-4cbe-91f3-756451bdd7da/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e6d5bbf-b262-5c05-b01d-4e8d240ce0c0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459431Z", "creation_date": "2026-03-23T11:45:30.459434Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459443Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "81bcd8a3f8c17ac6dc4bad750ad3417914db10aa15485094eef0951a3f72bdbd", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e791d8a-cd10-56b3-a2e4-7a29186d8c1d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971633Z", "creation_date": "2026-03-23T11:45:29.971635Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971641Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dcf9bc1e511993fd8c87b8cab5c23366cc818cccc40617cabc8f242d4a8751d7", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e7d9b00-d6b0-5e3d-82f9-b0214ddc989b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811993Z", "creation_date": "2026-03-23T11:45:31.811995Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812000Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d404dd8e5a851912403e7d444819d4930435377b112fe4ca56368e46617cf14", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e8c1a8b-1dee-5208-a8e4-282424b5c636", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145151Z", "creation_date": "2026-03-23T11:45:32.145153Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145158Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5c308aede12fefb8145c015a97d7844106df5469de97773cba3bd3d772dc7d24", "comment": "Malicious Kernel Driver (aka driver_5c308aed.sys) [https://www.loldrivers.io/drivers/647f72e7-f378-4908-946c-5e45fab448e8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7e999679-f7bd-5b0f-a43a-07bc485d162c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462642Z", "creation_date": "2026-03-23T11:45:30.462645Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462654Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2d36642135166bbb296624dca878925963c7da785e42e940f02d01beb7c477d5", "comment": "Vulnerable Kernel Driver (aka asio64.sys) [https://www.loldrivers.io/drivers/8b9d1a29-f5f4-4ce6-8fe2-5709123f7b86/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ea04c9f-d96f-56f4-948c-c448d6b770e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968114Z", "creation_date": "2026-03-23T11:45:29.968116Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968121Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "002fb91a8ed384fa2bb8b72ee3a31c58f5fe73c7ebafc8255e598753b7613dd8", "comment": "Projector Rootkit malicious drivers (aka KB_VRX_deviced.sys) [https://twitter.com/struppigel/status/1551503748601729025] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7eb2126d-c54d-5e8c-8e42-c6864bac51d4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604205Z", "creation_date": "2026-03-23T11:45:29.604207Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604213Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1933f27ebebde55942291381219497019077548a074e8dcdb120c94df1a2489e", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7eb62d52-aaef-5331-90f6-13c6d3da1674", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455920Z", "creation_date": "2026-03-23T11:45:30.455924Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455933Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3e62730949b6cbbaf938d9b2015fe1b84eb63322c4287d0ce2b4c6f987c2dadd", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ec10a45-fc42-5993-96d7-60c3a8b8fb6c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499693Z", "creation_date": "2026-03-23T11:45:31.499697Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499705Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4820e2269e711eb8c8656691cefc36c344f36611ba50f6a1ca772c2c924260aa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ec3b3af-0036-5f0f-b22a-b25b4859bb03", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827471Z", "creation_date": "2026-03-23T11:45:30.827473Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827479Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d06ad26e336360720834394c105e5ff6a982bffb2f1b17633de12a5accda462d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ec446e8-687c-59e5-a07c-4f16bcae06a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824933Z", "creation_date": "2026-03-23T11:45:31.824937Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824946Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d2a3cafd51ef8ee390332285607bc138f0eb14794c6b3651b0c53fb56fe964ee", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ed0dfb1-b1f0-567e-a0e5-7a0732f7f75f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147570Z", "creation_date": "2026-03-23T11:45:31.147572Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147577Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0a768158c06ff8edfb78ec3b1e4fd94f6192db3a8e99de1bae49fe20b3b1b8cc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ed3b7d1-aac0-5e42-a033-cd34edcedf95", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974212Z", "creation_date": "2026-03-23T11:45:29.974214Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974219Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d580349730ace5170e7c33850bdcb37cbf16b70d0d1adc2568fdd223c2a55a77", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ed9927e-4337-5ce4-be7d-2e66fa3dbe3d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820353Z", "creation_date": "2026-03-23T11:45:31.820356Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820365Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3ca246561628f2a9af36c683656b7d35155019d0c852dd4d8ef0dab3b2e8fd8d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7edeec82-8157-58db-80e0-fbf233e75a5b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464681Z", "creation_date": "2026-03-23T11:45:30.464684Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464693Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "26bea3b3ab2001d91202f289b7e41499d810474607db7a0893ceab74f5532f47", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ef0d9b6-d7d4-55b2-a4ff-2665ab2f39ea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622105Z", "creation_date": "2026-03-23T11:45:29.622107Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622112Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "db2a9247177e8cdd50fe9433d066b86ffd2a84301aa6b2eb60f361cfff077004", "comment": "CapCom vulnerable driver (aka capcom.sys and smep_capcom.sys) [https://github.com/tandasat/ExploitCapcom] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7f062100-a1dc-5e01-8507-4857f7254c7e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144726Z", "creation_date": "2026-03-23T11:45:32.144728Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144734Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d35bc51acafab893698e6064d286541918a789ac7c06a6442bf4351dde842777", "comment": "Malicious Kernel Driver (aka windivert.sys) [https://www.loldrivers.io/drivers/45a31a17-f78d-48ec-beba-74f6bfc5f96e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7f164674-0e50-5379-91d5-367da8094c5f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146038Z", "creation_date": "2026-03-23T11:45:31.146040Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146046Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "883cef0ccaa689226bd64f18797b991757985c0963f80924bc9fbe3f93c03ef6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7f21c238-96bc-5205-b518-93adc94f5e7b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818666Z", "creation_date": "2026-03-23T11:45:30.818668Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818674Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "53e15b21cc69a554d4d61ffe531be90364ed7b1bb64fc302d65eaa642c9fa60a", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7f4390e7-622a-5d04-8c48-b90bedeeef4a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497808Z", "creation_date": "2026-03-23T11:45:31.497811Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497819Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8b9b61e2e31eb8a8b9d5fc240489268fd4c77a70acbe000a79ec85445825a5ae", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7f440e0e-8cb2-5583-b1ef-8ff72f2be431", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606025Z", "creation_date": "2026-03-23T11:45:29.606027Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606033Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "30abc0cc700fdebc74e62d574addc08f6227f9c7177d9eaa8cbc37d5c017c9bb", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7f494827-ebe7-5b84-9cf1-0179e8eb719c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474263Z", "creation_date": "2026-03-23T11:45:31.474267Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474275Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9111e37a8b6b1ac41c4c909660301743cb1edf817555cce6c896a59ffe2025ec", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7f553e4d-ecb2-57aa-98df-5fd95309f1db", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617592Z", "creation_date": "2026-03-23T11:45:29.617594Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617600Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8dca2ad045a9af1cdfc26d82fa7c581448aee098439fa21eee23d4c468a08560", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7f5d25b4-e381-5bdf-9af9-d88b207e31c7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479953Z", "creation_date": "2026-03-23T11:45:30.479956Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479963Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0285024823009ff4865ba119ebdd3712aa40406d33a45d9f93ef51525d20aa34", "comment": "Vulnerable AMD uProf Kernel Driver (aka AMDCpuProfiler.sys) [CVE-2023-20562] [https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7f61805c-7dba-52bb-aa24-9c4285520e74", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819054Z", "creation_date": "2026-03-23T11:45:30.819056Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819061Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b7036cd12dc9e3550239310fd8ff4f14e4266bbd0de3aba7b087068a253b506b", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7f786451-924c-51e6-9e42-39b847fdfc3b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453223Z", "creation_date": "2026-03-23T11:45:30.453227Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453237Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c859b3d11d2ff0049b644a19f3a316a8ca1a4995aa9c39991a7bde8d4f426a4", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7f8c58aa-4971-55f8-add3-a1bc39565f11", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828759Z", "creation_date": "2026-03-23T11:45:31.828761Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828767Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8aeaca6eadb98b98a453403b2e2051e1392da2b59b69ed0444661cd0db7fb3ef", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7f8ee504-40a9-59cb-872b-5b43b20f5bdb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970054Z", "creation_date": "2026-03-23T11:45:29.970056Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970061Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d92b2f58c8fca3d3634b0c20578edd5004df571b29790690c97255e6096442c6", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7fa374c9-6e50-528d-b118-8040b020f22c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830240Z", "creation_date": "2026-03-23T11:45:30.830242Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830248Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bc246ddc41cfa6896e1a9a81bc1927ed04ab2a77ac45fadc50fa332cedfd26df", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7fad973a-0613-5512-9027-d42f16cb4155", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828790Z", "creation_date": "2026-03-23T11:45:30.828792Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828797Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cb89285f84fb13f7a5776abe89fe53303ee909d1b42b3bd7b89eb6b7429f429b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7fd9d383-48e9-5135-904e-7db00eb28243", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824512Z", "creation_date": "2026-03-23T11:45:30.824515Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824522Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "44e47c0a575abda6ced0dfcf4061eac2d01b229bd04bce7c760466d638c7b5d0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7fe759aa-0c6e-522f-8f57-c460d3716321", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830383Z", "creation_date": "2026-03-23T11:45:31.830386Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830394Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b368de498601571722e619cf2fd65007c24351120687e1b887086db2482e0021", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ff1d88f-c986-5d33-a3e3-d9efca2affa8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498495Z", "creation_date": "2026-03-23T11:45:31.498498Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498507Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d3b620b41cd43c1feeadb5cdd8e9668b8b68c6bcbdfde5c5d7ad10baa05349e5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "7ffd1aa0-839a-581e-a7c5-6ffc7089c546", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618859Z", "creation_date": "2026-03-23T11:45:29.618861Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618866Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae7d7d8a5bc48f2fb1dc81806a5eed52c3efc487cfdc8737d3ea3970dca7ce27", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "80000f78-d503-5a0d-a3c9-530804b7ce0b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975752Z", "creation_date": "2026-03-23T11:45:29.975754Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975759Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6aa427e7230a2b077bfecade35ffff67b2f15c051cf92fd207a3412c747f83c3", "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8000d607-a865-5207-83a1-a7a95cf66aeb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473796Z", "creation_date": "2026-03-23T11:45:31.473800Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473811Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0d7e6e23fc631ed0c11093706346317f4f595791e47a8181a0ef633e5756faa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "800cf905-22be-544b-b07c-87fb3574f920", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819743Z", "creation_date": "2026-03-23T11:45:30.819745Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819750Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae3a6a0726f667658fc3e3180980609dcb31bdbf833d7cb76ba5d405058d5156", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8011e70b-92dc-56c8-ad91-7b83c970a2d1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153524Z", "creation_date": "2026-03-23T11:45:31.153526Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153532Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0878201bd1efa4c49a78d317d80a63778e501f4047e2d21784692a88ab2eb2d8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "80337d1f-2212-5313-b400-21e2c955bae3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621863Z", "creation_date": "2026-03-23T11:45:29.621865Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621883Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0e955e57f078a2c0de7d113e85859bb3e0fcac772a5a1b9b9709a90a86ef4cd5", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "803707d2-e087-506b-9f1a-dd84f971aca8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828333Z", "creation_date": "2026-03-23T11:45:31.828336Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828344Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "258d710911124ef857fd95e17754327c18442364a35c102f7e9fcb9fe4a1dbfb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8037e9f8-2545-5978-8b6b-d11783d02a08", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824421Z", "creation_date": "2026-03-23T11:45:30.824423Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824428Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e344e75f109f239594ef460dd71465830f14eb4c6001a9d36af76ccc51ed7cc7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8040f2f3-c2a7-529d-a564-9e9f9b123ba3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826367Z", "creation_date": "2026-03-23T11:45:31.826369Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826374Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d217c8e84ce38732611fdd26a28f0a1f5d216b885ea3650d6c70d107c9dd44db", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8041b3a8-dea2-5c12-95f7-2c3c144ee9b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969888Z", "creation_date": "2026-03-23T11:45:29.969890Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969896Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c8b5fddf52551259d7d936283aa4fdc4579c5e4b030a11267496cdbdc143e15b", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8043e944-c2f3-531c-a4e6-5b0031bdd650", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808294Z", "creation_date": "2026-03-23T11:45:31.808297Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808306Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "32a53835967cc3690dede58d9e7e006cfda9730e26418a6a37750a7bc6a07d6f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8058a5f6-dc8e-5f28-b2cd-4eab04b54784", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487523Z", "creation_date": "2026-03-23T11:45:31.487525Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487530Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eaab0a8078b14e108dea51525b4b91acc28526337f06e9dd272c22242ddfe74b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8059b119-1dd6-578f-a40b-dfa198dde249", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618566Z", "creation_date": "2026-03-23T11:45:29.618568Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618576Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "51dbf446deb54beb8aef1de11e0f868ac062a9db0c31d0e16eff99203aec86a9", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8063326e-1b72-5c8a-b5cf-bd1930fe5280", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143297Z", "creation_date": "2026-03-23T11:45:32.143299Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143305Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ecd6e879e5521ca4053a59ef6682a95d97f6d9ba75f313b87bd133afe5267852", "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8065ab1e-139d-5cd0-b620-ac1c59aab364", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.496008Z", "creation_date": "2026-03-23T11:45:31.496011Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.496020Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "07e98ca630e107adec07257ad17740d5da20a66513edf9174560fdf8c8bd6102", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "806f3e88-faf8-5503-82a8-2a6f2f3bd0f3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825164Z", "creation_date": "2026-03-23T11:45:31.825167Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825176Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eb9577d0beee89bf57531a916a88085fb21a1ca8f217cbcdd2d9eb10395ec4c9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "807157a0-211c-5ac3-b3d0-fc4571c3fdb5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157170Z", "creation_date": "2026-03-23T11:45:31.157172Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157178Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a0f964dcc6e887a09959da6a0056b7ba4fdfa5f06869e3f9781f1836764afcf4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "807852ac-62f7-5ffb-9e7c-a0e26320862e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475072Z", "creation_date": "2026-03-23T11:45:30.475075Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475084Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab6c6a6a4d7ae58cbbc63283699aaf59cf6ecddf56eba0933178732f2664abcd", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "80818bdb-dfd8-5f2c-a088-af2aa8e3fce3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829893Z", "creation_date": "2026-03-23T11:45:31.829895Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829900Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0ef42bd4b8f14f025fb220ed9a45aab6cd3fd8cc282042bd4d601ebfe7865fe7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8087457e-1df1-58ee-a611-09641e2f9e54", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476020Z", "creation_date": "2026-03-23T11:45:31.476024Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476034Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2f18cd5a57c83f7254c0e376fc713a387ba5b800a272c2013870bd5d4e483fdd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "80994992-ad77-5142-b9e2-71858df38492", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160738Z", "creation_date": "2026-03-23T11:45:31.160740Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160745Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "43e5c2e6aa753481f5a98f25d2369a8dde994a33f7780884c4669bf6b0327ffd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "809b8951-1dfe-567f-b531-1dbe279faa14", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614178Z", "creation_date": "2026-03-23T11:45:29.614180Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614185Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae42afa9be9aa6f6a5ae09fa9c05cd2dfb7861dc72d4fd8e0130e5843756c471", "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "80a8b2a7-9d7f-5650-a3f3-4c7fb2974b75", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611864Z", "creation_date": "2026-03-23T11:45:29.611866Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611882Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "26d69e677d30bb53c7ac7f3fce76291fe2c44720ef17ee386f95f08ec5175288", "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "80a9b8ca-1603-5cff-826b-3ff270d37cda", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141921Z", "creation_date": "2026-03-23T11:45:31.141923Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141928Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0e8dd1f4de4e4cc11d3f6ca90d2f247df53aceec3e785a6245b35c98bc509d3b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "80af64e7-9c8a-5749-a901-e9528ce65a37", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812544Z", "creation_date": "2026-03-23T11:45:31.812546Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812552Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2b858eda9816986ec170cb5fa8f2bbf807c77a46430264b68a379e568a788bc6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "80b19be8-d030-5950-8d92-4ecfd72a5738", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978475Z", "creation_date": "2026-03-23T11:45:29.978477Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978483Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18dfe852fade6625862cc963922c1f2389a296af96df11eb7b62bbeddd61e18a", "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/a7628504-9e35-4e42-91f7-0c0a512549f4/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "80bb6ad6-e9ea-53ed-a5a3-11f2423884a4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151569Z", "creation_date": "2026-03-23T11:45:31.151572Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151582Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4053661f7153f5305e9aa491c003b2025e2b8ed96a9cf83d539916fe52b8bf8b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "80c0fccb-c742-5b2d-934c-2b2d8c450dc1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142362Z", "creation_date": "2026-03-23T11:45:31.142364Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142369Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a12541f2b5689d8270552a397e45522eb2638a08235540db197872d264caf597", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "80cdbc9f-b575-5b57-bdd0-50b616204d09", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157257Z", "creation_date": "2026-03-23T11:45:31.157259Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157265Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "acc7c9347635ea9b1e449696ba6ee06134781aa7a8a12d1b492c51afd3385bce", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "80d3836f-985c-5d5d-86c5-19870f8abf00", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983999Z", "creation_date": "2026-03-23T11:45:29.984001Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984007Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6de84caa2ca18673e01b91af58220c60aecd5cccf269725ec3c7f226b2167492", "comment": "Vulnerable Kernel Driver (aka msrhook.sys) [https://www.loldrivers.io/drivers/1a1cf88a-96d0-46cd-a24d-1535e4a5f6e3/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "80db9ef8-8229-5987-a447-daf1e8421fcc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976336Z", "creation_date": "2026-03-23T11:45:29.976338Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976343Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "88076e98d45ed3adf0c5355411fe8ca793eb7cec1a1c61f5e1ec337eae267463", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "80dbe0fe-d855-5e9a-96f0-d4e9f4cd4fda", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834928Z", "creation_date": "2026-03-23T11:45:30.834931Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834940Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "237f79d4c8784776469b41378698f855c26e20f363ddffbed5e55f978110a8f8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "80f65a26-e347-547b-92a8-21b3e7c53ce0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967456Z", "creation_date": "2026-03-23T11:45:29.967458Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967464Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bbc58fd69ce5fed6691dd8d2084e9b728add808ffd5ea8b42ac284b686f77d9a", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "80fb12ff-e6fa-5515-abb4-4859adcd5861", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984906Z", "creation_date": "2026-03-23T11:45:29.984908Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984913Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "36b9e31240ab0341873c7092b63e2e0f2cab2962ebf9b25271c3a1216b7669eb", "comment": "Dangerous Physmem Kernel Driver (aka BS_Def64.Sys) [https://www.loldrivers.io/drivers/4a80da66-f8f1-4af9-ba56-696cfe6c1e10/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "810f4c65-b5ee-5fa9-a79e-a5095447766c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143918Z", "creation_date": "2026-03-23T11:45:32.143920Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143925Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a490a57a8f57ae27571629197bb652b0f4c84f9414d09bf6cfe2ee1b175101b4", "comment": "Vulnerable Kernel Driver (aka Afd.sys) [https://www.loldrivers.io/drivers/394f49b2-2d78-4d0d-b374-1399695455f3/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "811b3a74-d768-5f61-baa1-75ed8525f0be", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607685Z", "creation_date": "2026-03-23T11:45:29.607687Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607692Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7f5dc63e5742096e4accaca39ae77a2a2142b438c10f97860dee4054b51d3b35", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "811dd858-c6e4-5fd1-aa2d-c3975c507389", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480729Z", "creation_date": "2026-03-23T11:45:31.480733Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480742Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0ebb1a48c4eb16cd6213898edeb48d00a0c0fe1884b204f6b56dd9f4356f7bf8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8125580b-1172-57ea-af15-c325cb5ef891", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818737Z", "creation_date": "2026-03-23T11:45:31.818741Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818749Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9e510d0ef684a52cf4871520cb9ac2c4d289d0717ba9bd3a33739aab433b252b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "813d3e30-0f9e-5d35-a841-8fbf23a5a12e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.161057Z", "creation_date": "2026-03-23T11:45:31.161059Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.161065Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9fc7b3f9ed8b3b21684d8691d5c4486bc6e39dabca6f293ae2205cd647e8793f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "814bdd15-d6e6-5f47-b863-1552fb334b95", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970529Z", "creation_date": "2026-03-23T11:45:29.970531Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970536Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2456a7921fa8ab7b9779e5665e6b42fccc019feb9e49a9a28a33ec0a4bb323c4", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8154ed8d-78d0-5e50-b64e-f71e82d1e39c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976588Z", "creation_date": "2026-03-23T11:45:29.976590Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976595Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "29bf8618816bce5fa2845409d98b7b96915e0763bb04719535ca885e4713cfaf", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "81572d04-d2a4-5e42-98a2-71372cc5a680", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155345Z", "creation_date": "2026-03-23T11:45:31.155347Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155353Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "01423a32ba9f1f1a6652104b4123420ca0f63c0a5ad74f69e53aa553360f86c6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "81577f0e-291a-5ef4-a6fe-625027aed9a6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484087Z", "creation_date": "2026-03-23T11:45:31.484092Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484100Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0c67887a7bc5ae3d94cafa31901e8fcf3e2f0d2ecb33f6639066588bd721e9d2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8168b6b5-2944-53a0-8947-77355df1d3dc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455473Z", "creation_date": "2026-03-23T11:45:30.455476Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455485Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6e9e9e0b9a23deec5f28dc45f0bbe7423565f037f74be2957e82e5f72c886094", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "816b1a64-668e-5a57-ac77-e38a9ff15280", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980734Z", "creation_date": "2026-03-23T11:45:29.980736Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980741Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aab97fb324c883f1de71112e1d9fb716cef40636e39a3b9f4a5b8678cf7bde3f", "comment": "Vulnerable Kernel Driver (aka CtiIo64.sys) [https://www.loldrivers.io/drivers/de365e80-45cb-48fb-af6e-0a96a5ad7777/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "816bcbb4-3406-5e44-a44a-3bd00ab98b2e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142238Z", "creation_date": "2026-03-23T11:45:31.142240Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142245Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7755e3bdac09106370c5676a332bf800f5790d0cf1cfc58c634127630a08f045", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "818a71b5-49cd-5e4a-b4c3-112d9eefa02a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818613Z", "creation_date": "2026-03-23T11:45:30.818615Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818620Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "33bc9a17a0909e32a3ae7e6f089b7f050591dd6f3f7a8172575606bec01889ef", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8194e364-2d52-5277-9444-20364437d672", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146528Z", "creation_date": "2026-03-23T11:45:31.146531Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146536Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "206264f6d4f14ca8e4f721c5f954d78c8f23546afafd3f6542e23c86fdffc572", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "819b1411-f51b-5f15-9299-e19e41ec8fd6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975535Z", "creation_date": "2026-03-23T11:45:29.975537Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975542Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b37b3c6877b70289c0f43aeb71349f7344b06063996e6347c3c18d8c5de77f3b", "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "819c4ced-872c-5689-808a-2138d989a314", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831344Z", "creation_date": "2026-03-23T11:45:30.831347Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831357Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "868a5cbf26acfa167dc582dee9e8b9449b708a2242ddb2f858f079dcb897f5ab", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "81a05c2c-15d3-5275-a79a-bbf3b83913ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465892Z", "creation_date": "2026-03-23T11:45:30.465896Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465904Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "704c6ffe786bc83a73fbdcd2edd50f47c3b5053da7da6aa4c10324d389a31db4", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "81a9fb1d-f1fe-527f-bc77-48da8dcc0e20", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816499Z", "creation_date": "2026-03-23T11:45:31.816502Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816510Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5ec92bab224368247d83a9faa46b771fcfaf43480904d23ff06bea5d77f3eb3c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "81b88910-51c6-5d1a-8c1e-1cd71b4543f7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484116Z", "creation_date": "2026-03-23T11:45:31.484119Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484128Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "379c0d846b505affc22a61bc5ccfc3f58c51321ab733342c6f94a1d0c8e9463e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "81c20eb7-0904-5b6b-ba49-480d37e16bf0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969470Z", "creation_date": "2026-03-23T11:45:29.969472Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969478Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5512aea158c30e4f52c1e27136c1c803c98388d1d8c7269e497728fd0b57d9f5", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "81c311b2-2334-5add-a7fe-6e86066bd453", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482621Z", "creation_date": "2026-03-23T11:45:31.482626Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482635Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d79be2d97137276e5cf9fb07fef8df72dd20701e1ff4e7ec9180a8ff5567aa50", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "81c4c3e5-12cc-5826-8252-c03f54af80d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142700Z", "creation_date": "2026-03-23T11:45:31.142702Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142708Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "48363eb346fff1e20a8eca484e6447cb232ec8ae009555631bf7c7d7a97b15c8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "81c5c3af-43d1-5142-9305-0ade01ddc6cc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142326Z", "creation_date": "2026-03-23T11:45:31.142328Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142334Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d4f334bccb62825eeead6a3062b7425afe50b674207f88d6fbd4aef8e5510365", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "81c77c29-ea52-5537-849a-83edbe7a162c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615135Z", "creation_date": "2026-03-23T11:45:29.615137Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615142Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c2a4ddcc9c3b339d752c48925d62fc4cc5adbf6fae8fedef74cdd47e88da01f8", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "81c7a7b8-d0a3-5325-8796-0d39ce115cc6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613648Z", "creation_date": "2026-03-23T11:45:29.613651Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613656Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7aaf2aa194b936e48bc90f01ee854768c8383c0be50cfb41b346666aec0cf853", "comment": "Vulnerable Kernel Driver (aka AsrSetupDrv103.sys) [https://www.loldrivers.io/drivers/19003e00-d42d-4cbe-91f3-756451bdd7da/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "81c7ce45-ec56-58b8-87a7-5b6c7e74f13c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607328Z", "creation_date": "2026-03-23T11:45:29.607330Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607336Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b61869b7945be062630f1dd4bae919aecee8927f7e1bc3954a21ff763f4c0867", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "81d7798e-d940-52ea-a377-a9db19240d83", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472666Z", "creation_date": "2026-03-23T11:45:31.472670Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472679Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "42392416a73b17679bf2e75083f6b7cf216eebcb63a2c10192041d630d783fe8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "81e24cdd-be88-5359-9047-4865188375f9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463784Z", "creation_date": "2026-03-23T11:45:30.463787Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463795Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8b30b2dc36d5e8f1ffc7281352923773fb821cdf66eb6516f82c697a524b599b", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "81e40760-4443-526f-8e1d-2eee594ccb7d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820048Z", "creation_date": "2026-03-23T11:45:30.820050Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820055Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "221369498ae77e0ff60ce2f59de6ef2bbb01aca8cd55d7a8487760068f5a544a", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "81e97c58-d1ab-5ad8-94ee-a4a1d04159b2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609557Z", "creation_date": "2026-03-23T11:45:29.609559Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609565Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1251eef40b877fd379c175c02bb83e230fa5acd30020e54acc0718ab326818b3", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "81f6dccc-f833-50d1-a017-1bc8760f609e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619089Z", "creation_date": "2026-03-23T11:45:29.619091Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619096Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e5a6fe0d0a3894f55b7ba9b4d5a03022f6146544f1f874ae1ef32c29450535b7", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82009fe8-8ce7-5f62-8540-f4fe4b9614c9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480397Z", "creation_date": "2026-03-23T11:45:31.480400Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480410Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e032410a55db0311918bdf411fe403b745c02a6112d4ac9dc8689d1ae6dc7dd2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8209f5d8-4d19-5721-b7b5-b3459c3c36f5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824367Z", "creation_date": "2026-03-23T11:45:30.824369Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824375Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "416e71a3fd5f8d20caea3661d95b48a70cab35650fa7fc9db59ceeff80a324da", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "820ee5ee-a888-5a77-b1e7-ac901d894562", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980837Z", "creation_date": "2026-03-23T11:45:29.980839Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980845Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2b120de80a5462f8395cfb7153c86dfd44f29f0776ea156ec4a34fa64e5c4797", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82132cd3-b01f-5ebe-b044-89105206d9ed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981147Z", "creation_date": "2026-03-23T11:45:29.981149Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981155Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7c830ed39c9de8fe711632bf44846615f84b10db383f47b7d7c9db29a2bd829a", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "821a7c74-445d-5d22-b6a7-b4bec318d4d4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144390Z", "creation_date": "2026-03-23T11:45:32.144392Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144398Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e6b039e10d2b93fbce625ecb7bf04b38eac69b96385fc3b28541c8da78fd8ad", "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "821b5805-f6c2-5f9b-8f73-a7bddf3102f0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143114Z", "creation_date": "2026-03-23T11:45:32.143116Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143121Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ada2b855757c9062231f5ed4e80365b8d8094e9adbce8f26d1ff5ea0b7a70c77", "comment": "Vulnerable Kernel Driver (aka echo_driver.sys) [https://www.loldrivers.io/drivers/afb8bb46-1d13-407d-9866-1daa7c82ca63/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "821bb7bc-006c-55e6-9257-cebf8d3770d3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490401Z", "creation_date": "2026-03-23T11:45:31.490403Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490409Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9fafa5175851027e63ca29722169b363f0558426ea7a58640578c3e6d2e3407a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8232b798-0edd-555f-a8e0-fbdfc96bf56a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833616Z", "creation_date": "2026-03-23T11:45:30.833619Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833628Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2846aeae7f34281c69a7f6183797768f4418a8fc76119800d5f15d47bcdb85ec", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "823655e8-9929-50fb-97fa-f5d8c9532ef8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147734Z", "creation_date": "2026-03-23T11:45:31.147736Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147741Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c7055b8634a17d0a88825995b91cfebf00d177add33c1d1d5d2de77b000128d5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "823b12d0-a926-59c3-9229-bb7e5c0f6a09", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146402Z", "creation_date": "2026-03-23T11:45:31.146404Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146409Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "74edf2e45870d507c804ec269419b327cf2bbff82dd9330dfc91ebc84192f521", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "823b1426-bd3d-5db3-93ea-b9006a2bf178", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971714Z", "creation_date": "2026-03-23T11:45:29.971716Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971721Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "082adcdc2d246d2291bcf135a7519840a84f27cfa3143d1372a9e2aa5e514dbd", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "825c2dbe-c2a3-54cb-ba17-2912988484af", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969906Z", "creation_date": "2026-03-23T11:45:29.969908Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969914Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3b38427f167fde644868a62f0aa1ed03790137905c97024ac21729fa6153eca2", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "825c9d7d-51f7-5863-b60d-52e6654c926d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493967Z", "creation_date": "2026-03-23T11:45:31.493971Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493979Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b023404cb64ca532643fa25c600890f00fbfe3449ce1d0f103492318febfce27", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "825d584e-3027-5d05-8aca-a26f78c71a3e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815787Z", "creation_date": "2026-03-23T11:45:31.815791Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815799Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7e83096a0dcb5fecc798c4e0aac70c9bfa05801fdb75c723d7a539652837db8f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8269a3b1-365e-5497-8571-40e7d72a4717", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823792Z", "creation_date": "2026-03-23T11:45:31.823795Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823804Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea0f17275cd9620f94b482035cdf441a164771c997e84c0a997cfb48cb5db158", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "826b79d6-0b83-50a3-b474-5c79625b1b68", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813985Z", "creation_date": "2026-03-23T11:45:31.813988Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813997Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5bfa6720e5972521751dd96257bb2e9d6bb264084dab8b6467dcb5710299c807", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "826f81b1-1f94-585c-adc3-dd28280fceb0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149478Z", "creation_date": "2026-03-23T11:45:31.149482Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149491Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f838aec60dd23e9c02812dfd8dd0c2648cba2f5b8c2f8b289e5bb6a08f196dda", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82721302-e015-509c-a6d2-b551d9cfdca9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478074Z", "creation_date": "2026-03-23T11:45:30.478078Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478087Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c155197986db77be55716c49262ac009aefce647dae68268a2b9c7a7fd97c7a0", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82742b7a-c6fa-5bb3-a8ae-8bcee41e5c1e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141059Z", "creation_date": "2026-03-23T11:45:31.141062Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141067Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f41b603a0aa3b477d30afc420f72c3db16a18f8786422560f7eb632d1482d805", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "827e9cee-160f-51ce-a190-91ad08d35c87", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148774Z", "creation_date": "2026-03-23T11:45:31.148776Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148781Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b02e0b4f09877897346b28501466e4dec0393127646021e0a816ac39618c5317", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8285f53d-3cf5-5e68-bf1f-7b1d6a1e432d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811489Z", "creation_date": "2026-03-23T11:45:31.811491Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811496Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4a0149b64218c927cba80d302e6db403e9b4c6cbacb905070ff451303b7d26b5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8287b07b-56f0-5c4c-8d78-25491841c815", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828755Z", "creation_date": "2026-03-23T11:45:30.828757Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828763Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f3935e0f74dd7996d9fd900eb7fb167ab301a00c6c9f9034428ee8b6a65502f1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "828f1d9e-9fbb-5944-bf12-1693491d7ca4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151918Z", "creation_date": "2026-03-23T11:45:31.151921Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151930Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1ced1f634e780e4fef2f9b06268d8142207ca4294bbab677a923ec091f3baa3c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8293ebec-d168-59ca-bee7-f5c86dc906d4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835322Z", "creation_date": "2026-03-23T11:45:30.835325Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835333Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "208146a5e37dabdc40c022a8adcf6d95861e5e651a037998b7fe505d0b46c178", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "829c81aa-6265-51ca-bc89-d3411ff74334", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617041Z", "creation_date": "2026-03-23T11:45:29.617043Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617048Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "af20c1b4eb703083979e6f4e211327495f7a0a27ace9a52bd22dd3737be7a8b1", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82a14366-d713-5b46-a9f3-df5ca98f8fc3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476831Z", "creation_date": "2026-03-23T11:45:30.476835Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476844Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6429f89dd7e9f8f7784736b6d3471be3c480d4eb4c9a573c698ede1dd64f5010", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82a30800-b664-5b16-ba42-37bd938f6668", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472620Z", "creation_date": "2026-03-23T11:45:30.472624Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472640Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b738eab6f3e32cec59d5f53c12f13862429d3db6756212bbcd78ba4b4dbc234c", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82a910b2-1f2a-54fa-9631-0733d790c7a5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464368Z", "creation_date": "2026-03-23T11:45:30.464372Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464381Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "29348ebe12d872c5f40e316a0043f7e5babe583374487345a79bad0ba93fbdfe", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82a9226d-d49b-5a39-841d-7a8fa487b92e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980803Z", "creation_date": "2026-03-23T11:45:29.980805Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980810Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f85cca4badff17d1aa90752153ccec77a68ad282b69e3985fdc4743eaea85004", "comment": "Vulnerable Kernel Driver (aka IObitUnlocker.sys) [https://www.loldrivers.io/drivers/4bf4b425-10af-4cd4-88e6-beb4b947eb48/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82ad7062-e6bf-5162-9aa8-576b401e2f4d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978738Z", "creation_date": "2026-03-23T11:45:29.978740Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978746Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18c909a2b8c5e16821d6ef908f56881aa0ecceeaccb5fa1e54995935fcfd12f7", "comment": "Malicious Kernel Driver (aka gmer64.sys) [https://www.loldrivers.io/drivers/7ce8fb06-46eb-4f4f-90d5-5518a6561f15/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82b7cda4-6ea1-5485-b5ae-7f8e65a772ac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985286Z", "creation_date": "2026-03-23T11:45:29.985288Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985294Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a97e5c6cd926fa47ab1a69963169223cc669bd654a2f128165ba4ebe1d08bd17", "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82c51088-f701-5369-83cd-e66b7d6c03cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145169Z", "creation_date": "2026-03-23T11:45:32.145171Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145177Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3768122b8ab7a518d3717cabdfdd7d9592ec986b3f85d40064fdf99c6f569f6b", "comment": "Malicious Kernel Driver (aka driver_5c308aed.sys) [https://www.loldrivers.io/drivers/647f72e7-f378-4908-946c-5e45fab448e8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82d2ec3d-2beb-5a76-873b-26fd584267ed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490782Z", "creation_date": "2026-03-23T11:45:31.490784Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490789Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f4083b4353135cd29fbc32d2ecd1df91f86f667c93ddae3393158f6a126e98f4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82d48878-dd67-501a-9a35-28f360c758d5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468016Z", "creation_date": "2026-03-23T11:45:30.468019Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468029Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f2b0d70e2d55a5f69ddaac13460cfcd63746ac1c09f826772cca5b857dde240a", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82d5e3f6-c043-55bb-9f82-dcb528f2e191", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982104Z", "creation_date": "2026-03-23T11:45:29.982106Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982111Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3279593db91bb7ad5b489a01808c645eafafda6cc9c39f50d10ccc30203f2ddf", "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/b03798af-d25a-400b-9236-4643a802846f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82d64303-ca93-567e-848b-5e6a53865f6d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148980Z", "creation_date": "2026-03-23T11:45:31.148982Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148990Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dc6f8fab6fb713f0cc635a816bea4b64ba0243624ec880bfe7a9829649a2bfbb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82da04eb-23a1-5e82-abdc-a2bd1f12eab6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477675Z", "creation_date": "2026-03-23T11:45:31.477679Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477689Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "49375b39428fa7c8e55b0bcdbbbbc27668faa934a401ec91fd88a33ab4b2375d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82dde3e3-91d9-5ebb-a6df-e79c402e36dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466551Z", "creation_date": "2026-03-23T11:45:30.466555Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466564Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee525b90053bb30908b5d7bf4c5e9b8b9d6b7b5c9091a26fa25d30d3ad8ef5d0", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82ded53d-72a6-5963-a6ec-4fa5655c60cd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.147058Z", "creation_date": "2026-03-23T11:45:32.147060Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.147066Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "206f27ae820783b7755bca89f83a0fe096dbb510018dd65b63fc80bd20c03261", "comment": "Vulnerable Kernel Driver (aka NSecKrnl.sys) [https://x.com/anylink20240604/status/1967181190949228608] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82e629a7-d57f-56b2-abdc-8b2a234fa160", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146136Z", "creation_date": "2026-03-23T11:45:32.146138Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146144Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "167730744bd7cb117aae9931f81d20cbd2ec6eee480388c53d2fc973ede920ea", "comment": "Malicious Kernel Driver (aka driver_16773074.sys) [https://www.loldrivers.io/drivers/a0f0d0db-15a2-48e4-af39-50967ee8b541/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82e85799-6767-5d9a-9086-84111b4537a2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476800Z", "creation_date": "2026-03-23T11:45:30.476804Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476813Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e2a330131ca4a9499736fdc72e819a6ff1f883b1c6dc7b83d5b69d288508e0fe", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82e9c5c2-ca8e-512a-829f-23b7815fd613", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608014Z", "creation_date": "2026-03-23T11:45:29.608016Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608022Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5182caf10de9cec0740ecde5a081c21cdc100d7eb328ffe6f3f63183889fec6b", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82efc428-68e5-51da-93a0-77d5150ad7ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826314Z", "creation_date": "2026-03-23T11:45:31.826316Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826322Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9dfeef1377073421a97c12fc8d6f1de1ef29835b4cae03a2f9347a5e68b3ec62", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82f16176-a88d-5f84-9c2b-effc1931c29b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984286Z", "creation_date": "2026-03-23T11:45:29.984288Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984293Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "457e2eb5ee1def0e336463b7f62dcc02fdde307b817cf750907a5f5465c4dcb7", "comment": "Vulnerable Kernel Driver (aka irec.sys) [https://www.loldrivers.io/drivers/d74fdf19-b4b0-4ec2-9c29-4213b064138b/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82f36c10-f4f8-5879-b5c6-96147861cbfe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820725Z", "creation_date": "2026-03-23T11:45:31.820729Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820737Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "db5c7773b067c9671fff4b0fbc3c27a2d9fddfd4ca79d2bab56b9619a3de625a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "82f4cd57-63b7-5b48-a3cf-a9682dea8d7d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812454Z", "creation_date": "2026-03-23T11:45:31.812456Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812461Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5825bece9c191da9975c36a96a9b507840a54628085f3beb06c8f610d59bb467", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "830dcca3-ad41-5a5b-9dfc-9f1042a24390", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985412Z", "creation_date": "2026-03-23T11:45:29.985414Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985419Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "961012d06eeaabd9eff9b36173e566bf148a5c8f743f3329c70d8918eba26093", "comment": "Dangerous Physmem Kernel Driver (aka Se64a.Sys) [https://www.loldrivers.io/drivers/d819bee2-3bff-481f-a301-acc3d1f5fe58/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8311bac2-b999-56f6-9e7f-3282783a7d40", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816320Z", "creation_date": "2026-03-23T11:45:30.816322Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816328Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d0e4d3e1f5d5942aaf2c72631e9490eecc4d295ee78c323d8fe05092e5b788eb", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "831538aa-6315-5a7f-9748-81cb92f646cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492002Z", "creation_date": "2026-03-23T11:45:31.492004Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492009Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5afa53cab2140ac26e16da42fc50a74e0c3a8cd3d44c3803f3168b9f3223ef7c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "83231f59-2a54-5958-bee7-0928e6edba6c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604861Z", "creation_date": "2026-03-23T11:45:29.604863Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604868Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c66af86b1c024969f80c1daf1c11ed88467035853083a2abf955e22171c63542", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "83364ac4-7213-5896-8f72-dde1c1a44db8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462370Z", "creation_date": "2026-03-23T11:45:30.462373Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462382Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ed8d68c07947c01ca03d886e6ca795a3f8b2f079e8292f019bba3b97b41eef54", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "834cbdee-0c88-58aa-9ddd-5a6c55b2a0a2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474217Z", "creation_date": "2026-03-23T11:45:30.474220Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474229Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d130e3e052b09dc154c32c170c227f7baaf74fa7767943478876c744fc3d026d", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "834eb938-6551-571d-a528-4bf90e486883", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484245Z", "creation_date": "2026-03-23T11:45:31.484249Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484258Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b446c8359d0d991f332b79adb9591e835a3c4b8fbf874047414f9456e6a728b2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8350dc32-12f7-5ed3-b0db-4948e17739cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835737Z", "creation_date": "2026-03-23T11:45:30.835739Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835745Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "82363ae5ac1f8f33cb83fbf9405fac2d77aa754e1e8a88a517656f19c0d12e67", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "83575387-f3ee-5e60-a7bc-4a52d242b24d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971839Z", "creation_date": "2026-03-23T11:45:29.971841Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971847Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "25c423b2170e7cb44134da651e87708631be0c9db8713c0bdb7b917c76c338a7", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "83591fac-4d50-5ccb-ac60-934e7c3f7518", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467151Z", "creation_date": "2026-03-23T11:45:30.467154Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467164Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6416ea9d2a15899dbf4a98b70bdedb4cc6eaf748c14c554b26ae2fe57ef8aa2a", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8360097e-3230-5dff-b5d2-c72120081da4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611601Z", "creation_date": "2026-03-23T11:45:29.611603Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611608Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3ce4a30668938fb7785c9958772e3c171af320ecfea8fc298160e80fbf80fb73", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8360b943-3852-55e4-a030-f7ec7a7d0b8b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824636Z", "creation_date": "2026-03-23T11:45:30.824639Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824646Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fac6ae01d22d719a4f0cc2b9c761c1a81009ce9ebe7e47b96c8ebf32b810d219", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "83785a38-cded-55b0-8bc5-3a6304e50edb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500628Z", "creation_date": "2026-03-23T11:45:31.500631Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500640Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "77b849bca8645b152d5f432dfa504d3ea82f6512bdcdaa2db4db0ecbba55da85", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "837d341b-8f99-5ce8-b3fd-cafc1ac3cb24", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622845Z", "creation_date": "2026-03-23T11:45:29.622847Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622852Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a8492a553ee840235fd12fa47b6caf1e5a8c82c3f4b681921246d7f192ed9126", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8383dda2-a77c-51b0-9a4e-2cf40e70d555", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145695Z", "creation_date": "2026-03-23T11:45:31.145697Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145702Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "28eb2875b5190910d71d53955f348b9a2b2b713cea5d873b619fcdcad6c5b5d4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "83969ff2-f4a7-5ae5-993b-99905f623882", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607434Z", "creation_date": "2026-03-23T11:45:29.607436Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607442Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0466dac557ee161503f5dfbd3549f81ec760c3d6c7c4363a21a03e7a3f66aca8", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8398fe1b-53c4-5b3e-81cd-ce567fd37f28", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975786Z", "creation_date": "2026-03-23T11:45:29.975788Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975794Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "98636f857235fb66122296db147cd29440de681a29bbd631fc94373da31f99fa", "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "83a108ea-13c6-58cd-a303-b27fbcaec527", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832747Z", "creation_date": "2026-03-23T11:45:30.832749Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832754Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7862001824edd94941d6ee2be998c9debf2d50e06b93f0abe54241c6b4a1d51f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "83b1e3c4-f372-5fdd-837c-1b6c7ca15ce2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978703Z", "creation_date": "2026-03-23T11:45:29.978705Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978710Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f596e64f4c5d7c37a00493728d8756b243cfdc11e3372d6d6dfeffc13c9ab960", "comment": "Vulnerable Kernel Driver (aka PanIO.sys) [https://www.loldrivers.io/drivers/5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "83b9ac6d-cf98-515e-82f2-7d421574deaf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150634Z", "creation_date": "2026-03-23T11:45:31.150636Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150641Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2f77034fb1a3d4a0d4cf23acf0753f0fb0349b82ec4be40290cb3f43e53352e2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "83c4f723-f120-5000-b16c-77721fc6d51e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468746Z", "creation_date": "2026-03-23T11:45:30.468749Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468757Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "002616bfe5bf3b13868d649d74ffe748317e3b0b33de8b9008683c906a0cae83", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "83d6c271-341d-5da8-a775-7e5ab597d583", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470072Z", "creation_date": "2026-03-23T11:45:30.470075Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470085Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ab6430b72807637cc173f174301d8411bc17ec2cb542e739d28f77eb9d47327", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "83f25173-0739-51f5-8a45-47a36fdcec6c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608120Z", "creation_date": "2026-03-23T11:45:29.608122Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608128Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0a9b51770ba69c73db8fc81d50017e7ccf59dd05d3024d4c9f8ce03076ca8a7b", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "83f331b2-0899-5e23-a540-7e2d208bd1b9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146746Z", "creation_date": "2026-03-23T11:45:32.146748Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146753Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cba6ac0031f6ee2ea4bf8ffc7a1cffff7c4448431584f54b9a0fbec799e2466f", "comment": "Vulnerable Kernel Driver (aka ACPIx86.sys) [https://www.loldrivers.io/drivers/fd6c52b1-aeaa-4d89-8051-91acc68c3270/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "83fbe314-ca7a-5144-a437-b029442f0342", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830000Z", "creation_date": "2026-03-23T11:45:30.830002Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830008Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f281d9a254dee1e0a809cb71fa9355aadfc73d4777831da676e1a0d5ce9d983c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "83fe7233-0463-59c7-87a1-aadd5c7097f0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822782Z", "creation_date": "2026-03-23T11:45:30.822784Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822789Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e4f90ded38e11860497b9d0290bcf93a6bcb48e836b334010894a2de865b148c", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8402f38a-1832-5284-b84b-2a4efd94e8af", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469233Z", "creation_date": "2026-03-23T11:45:30.469237Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469246Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "40c740c6820ddc8f01013e7354278166c090cfe5e4027be1b187cf8cbd8a6b3f", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "840383ca-477d-5119-952a-c07eba4022aa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609997Z", "creation_date": "2026-03-23T11:45:29.609999Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610004Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "00dfeab446afecac7b44b0b1680d5ca7d421eda243e16db8c08706bb593a8391", "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "84051940-b341-5d3d-b654-89f40954433c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818574Z", "creation_date": "2026-03-23T11:45:31.818577Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818585Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1ba36fd2f7ee03f735164bd08a6c98621e5f9a17b63cd1ad37cad050e2a4bf80", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "84093ef4-c64c-57a0-9134-bbae6673e9ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815437Z", "creation_date": "2026-03-23T11:45:31.815439Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815445Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fa38a29b4dcda0a241b94c94e0b3ce9c06c344ffe59f718d4f30671a17d22123", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "840d31fa-24d9-5d52-ba97-29264b6b263d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984070Z", "creation_date": "2026-03-23T11:45:29.984072Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984077Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7877c1b0e7429453b750218ca491c2825dae684ad9616642eff7b41715c70aca", "comment": "Vulnerable Kernel Driver (aka VProEventMonitor.sys) [https://www.loldrivers.io/drivers/4db827b1-325b-444d-9f23-171285a4d12f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8411267b-dd5f-5a32-844d-15a4f8ec3a5c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495689Z", "creation_date": "2026-03-23T11:45:31.495691Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495696Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2fec89ba7ffb18f394f1387413b7ae2165480821b565f0fdd9719c8a90c8e072", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "84294827-86dd-5e91-8dcc-5191dd6e4a78", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497488Z", "creation_date": "2026-03-23T11:45:31.497491Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497498Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c362c7738a6d9a3dd6329bce987ac36874574384b275c3fcf3e27cf65dfb65ea", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "843673fd-4586-5c5b-8bdf-9bc5117493f8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809850Z", "creation_date": "2026-03-23T11:45:31.809852Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809857Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "145cf879dd3dcf38b328d1a0b94ffee8534fa6f5d0c34264d59fed7154b5c1c4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8444fbf2-dc2a-5d36-81c3-d5f5778557f7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.986235Z", "creation_date": "2026-03-23T11:45:29.986237Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.986242Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8a2482e19040d591c7cec5dfc35865596ce0154350b5c4e1c9eecc86e7752145", "comment": "Vulnerable Kernel Driver (aka VBoxUSBMon.sys) [https://www.loldrivers.io/drivers/babe348d-f160-41ec-9db9-2413b989c1f0/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "84531396-914a-500f-b688-59b0e4cd1e45", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474416Z", "creation_date": "2026-03-23T11:45:30.474420Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474428Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d5e671c37f0eeb437d1ef480ff15b855ef2fdbb127f9130443fbaa279c5a3d72", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "84633318-4039-5bee-b38f-35b8ce54a2fa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475244Z", "creation_date": "2026-03-23T11:45:30.475247Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475256Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d25b5e4d07f594c640dcd93cfc8ab3f0a38348150bd0bfae89f404fbb0d811c6", "comment": "Malicious Kernel Driver (aka e29f6311ae87542b3d693c1f38e4e3ad.sys) [https://www.loldrivers.io/drivers/c00f818c-1c90-4b47-bc29-fb949f6efb65/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "84797ff1-5acd-52ff-b177-b16519541de5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971096Z", "creation_date": "2026-03-23T11:45:29.971099Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971107Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cb6ad7998aa1eb9c3b08cb7185bd4425fcc9c9b02ecfb4a3492e7b93033e8b11", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "847abe91-788c-5720-a276-020863f38da3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611830Z", "creation_date": "2026-03-23T11:45:29.611832Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611837Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6", "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "848719fb-9e90-5a1d-a54d-e9f29a293d35", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146783Z", "creation_date": "2026-03-23T11:45:32.146785Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146790Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b87085d408c250bdaf933642aa64975a7127cbe393023aaf53d918cd8bf0e3ae", "comment": "Vulnerable Kernel Driver (aka isodrivep64.sys) [https://www.loldrivers.io/drivers/bd6490c2-20ea-441e-803c-bc3b957dae4c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8489d886-cf22-513f-8b66-6da08cde7b85", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148791Z", "creation_date": "2026-03-23T11:45:31.148793Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148799Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2f77f88061432157635b71a7c388bbd9eefbac401b9c8620d8787ee03a5e5c95", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "84906764-36ec-58dd-bd92-4a6d56e47dbe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809648Z", "creation_date": "2026-03-23T11:45:31.809651Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809659Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bdb6e4d73f7949bf58b4b854a3b85d20ef7e4486f88c2d2d02fb4922b7138dc2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "849103dd-af6d-512f-93db-f0df94e049d1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488117Z", "creation_date": "2026-03-23T11:45:31.488119Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488124Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "33475258d25e34a019400861d377c520c4b7e516e0141daf8a6a5e25172baf83", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8494bb16-bc5a-59b3-b5bb-db814195af7e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980064Z", "creation_date": "2026-03-23T11:45:29.980066Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980071Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5f6fec8f7890d032461b127332759c88a1b7360aa10c6bd38482572f59d2ba8b", "comment": "Malicious Kernel Driver (aka mJj0ge.sys) [https://www.loldrivers.io/drivers/412f4aaf-5525-458c-b87e-311e504b856d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "84b5b0ab-fbb1-5b19-8deb-2bfb214f6e1c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618761Z", "creation_date": "2026-03-23T11:45:29.618764Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618772Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e88617bf6581b7f48ab216f5a2cf40cfa728354f81a631568823426461902c87", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "84c3f592-bab1-5c28-a5d1-587304b595a4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976295Z", "creation_date": "2026-03-23T11:45:29.976299Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976308Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "575e58b62afab094c20c296604dc3b7dd2e1a50f5978d8ee24b7dca028e97316", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "84c8674f-d53d-5800-842b-c444e2d29e59", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973722Z", "creation_date": "2026-03-23T11:45:29.973724Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973729Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "654c5ba47f74008c8f49cbb97988017eec8c898adc3bb851bc6e1fdf9dcf54ad", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "84ce4f64-8e4d-56b0-9474-40395cd00e78", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825290Z", "creation_date": "2026-03-23T11:45:30.825294Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825302Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fd4e5d356f9c1f4fb71f8e0b3f20f7fd40c4fac0ccb8912460301c927362044d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "84cfd4c4-a9b6-5c14-9ae0-2e3ea10297ed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829808Z", "creation_date": "2026-03-23T11:45:30.829810Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829816Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "70ad5c343b092a4e0738787feb772680f68f2014129e1fd6ae1eae16f475d735", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "84e7457a-690b-56a1-83bd-8ab5a142465c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811663Z", "creation_date": "2026-03-23T11:45:31.811665Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811670Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5da99b951bad823261775596d6972183897a0eb005f6158e8406008781e87868", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "84f10e98-0807-508e-9e3c-f0f7285ba74c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811627Z", "creation_date": "2026-03-23T11:45:31.811630Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811635Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "42a56620cf2d1f718a9082e0ad37771d6f9c77c05cb65043043cbeaf10f8976a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "84f6c9ec-7d75-58af-bf29-0e1cf76381a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483405Z", "creation_date": "2026-03-23T11:45:31.483409Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483418Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a09bf49a5d3cfe891ac4db204c4c38a977c7bbcc6668c445c319035c1889b1b2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8503e349-8c4a-58b6-af9c-5560dfcebfe9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474959Z", "creation_date": "2026-03-23T11:45:30.474962Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474971Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b7e3bd414674a3258be7ce384619b74946bafa218648a00c04e4e74f987f5723", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8520447a-caad-5d11-bdf5-8ad25e15a0e0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140636Z", "creation_date": "2026-03-23T11:45:31.140638Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140643Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "29bdcffcee5ddef60fa022fe42957b4309afd40ab2504f148a3eea51625bb973", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "852d5ba8-3cae-5b4d-8bdc-baaea092ed03", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492803Z", "creation_date": "2026-03-23T11:45:31.492805Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492811Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2f5de6c3636e996c5173f1277e7639b84f9149229ace4582e08a8a1b14fcadf8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "852dd15a-d0a6-5fb0-b8b2-9d5b703becaf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462000Z", "creation_date": "2026-03-23T11:45:30.462003Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462012Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e5ddfa39540d4e7ada56cdc1ebd2eb8c85a408ec078337488a81d1c3f2aaa4ff", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "85300aa9-a081-5a81-8baa-7bcb613c0424", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489702Z", "creation_date": "2026-03-23T11:45:31.489705Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489712Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d4089a7db28609073dc3ed733ea83b6334923ddd635b7b9153196b2f6489344c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "85328622-6c71-5e6e-b34b-92e2ec2cee3a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472202Z", "creation_date": "2026-03-23T11:45:31.472205Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472214Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ed1123884c56f51ceeff4b8436b0daca4345bea8d3be6d910d37ef36d97adc68", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8532b569-9f2d-5490-99c2-813354ca3843", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607997Z", "creation_date": "2026-03-23T11:45:29.607999Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608004Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "606beced7746cdb684d3a44f41e48713c6bbe5bfb1486c52b5cca815e99d31b4", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "85353b41-8fbe-58d1-bb94-eb918086deec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489652Z", "creation_date": "2026-03-23T11:45:31.489655Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489663Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "981890ee9c10c9885b0e18bab66a1edc90873bc71f332df8c1569a935044bab4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "85376a79-eda7-50f1-9c1a-81f7859b5d7e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826650Z", "creation_date": "2026-03-23T11:45:31.826652Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826657Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "59af1616a5d287df7af458ea857bbff6ffa096ca3161c1576ba0a9c0a8ec6136", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8537c540-a2ea-56aa-b25d-980270622e0b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474482Z", "creation_date": "2026-03-23T11:45:31.474486Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474496Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2810d5f117de53be7460cdf9cb842e205bc57ecd1ac0f9a75cce6bf24a7679ad", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "854406d2-c011-542d-8da2-584a3c97bea3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477696Z", "creation_date": "2026-03-23T11:45:30.477699Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477708Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3e85cf32562a47d51827b21ab1e7f8c26c0dbd1cd86272f3cc64caae61a7e5fb", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "854ecd33-c255-5dd9-aab6-e3c9580d000a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825558Z", "creation_date": "2026-03-23T11:45:30.825561Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825566Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "74bcd33f80f319470a1953ba5ff5aa472bb608060f899823714debfec67e3f55", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "85536b3c-6500-58f7-81c0-ad8f3825c716", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817329Z", "creation_date": "2026-03-23T11:45:30.817331Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817337Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0e2a4bf10a9428888e043fa40f7af74a963ed663c6bf4e2f136e39c41f606db", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8558761d-66f6-5c6d-87fc-42eeae05a614", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969096Z", "creation_date": "2026-03-23T11:45:29.969100Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969106Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1273b74c3c1553eaa92e844fbd51f716356cc19cf77c2c780d4899ec7738fbd1", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "855bcbfa-d741-57a5-baf9-338ad2cb8950", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621263Z", "creation_date": "2026-03-23T11:45:29.621265Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621271Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "436ccab6f62fa2d29827916e054ade7acae485b3de1d3e5c6c62d3debf1480e7", "comment": "ASUSTeK vulnerable physmem driver (aka AsIO64.sys) [https://www.loldrivers.io/drivers/79692987-1dd0-41a0-a560-9a0441922e5a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "856d3bc6-9c51-5de7-a640-944db2ac5a95", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823767Z", "creation_date": "2026-03-23T11:45:31.823769Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823775Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2c98d33a785d0ea8461d8ccc68e6a185ee47671bd798f027a758e6658cf67129", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "85749656-42ba-593a-b771-5b6133d17ea9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483180Z", "creation_date": "2026-03-23T11:45:31.483184Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483194Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ca18d6a7d349fce5d87c8df1cb134dc8a64ac30c52d8007959d91a9e18fb1290", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "857d144a-9ab9-5c26-b738-47b91a6c0165", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483847Z", "creation_date": "2026-03-23T11:45:31.483851Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483861Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "04f301e64c65392488add6711527ab76955cc5835691701fa16ae080b6366eb3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8585827a-b81b-577d-8189-521286e613ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481496Z", "creation_date": "2026-03-23T11:45:30.481499Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481508Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9399f35b90f09b41f9eeda55c8e37f6d1cb22de6e224e54567d1f0865a718727", "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8585c362-f637-53f1-bb5f-1849cf020c6a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979394Z", "creation_date": "2026-03-23T11:45:29.979396Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979401Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "85911e54-9823-50fc-8d0d-62d283e1c39b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475100Z", "creation_date": "2026-03-23T11:45:30.475103Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475113Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19e80663f055a038621c6de731151e4e8d6f42fde359efaf2ddeb49c62e317c4", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8597c034-1310-5a1e-a25b-573795d15efc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809674Z", "creation_date": "2026-03-23T11:45:31.809677Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809685Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2647489235835128e939e3d49d6ec9369c09256e47b2c647a73a730346a3954c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "85a0def7-df67-5127-a898-abc2cdc9fd66", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608422Z", "creation_date": "2026-03-23T11:45:29.608424Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608429Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "78827fa00ea48d96ac9af8d1c1e317d02ce11793e7f7f6e4c7aac7b5d7dd490f", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "85b845e6-ef75-5bf9-aad8-d79d22262657", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151730Z", "creation_date": "2026-03-23T11:45:31.151732Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151740Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c4021068436795b26ebf4438a76e131f1630a95fc688380eee09c86f3d4ce6c3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "85b8522c-69e1-5c3b-93b1-ef3c20c621b4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615972Z", "creation_date": "2026-03-23T11:45:29.615974Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615979Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "314384b40626800b1cde6fbc51ebc7d13e91398be2688c2a58354aa08d00b073", "comment": "TOSHIBA BIOs update vulnerable driver (aka NCHGBIOS2x64.SYS)", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "85b9b4ad-ba4c-56ad-aca9-135620125c08", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974247Z", "creation_date": "2026-03-23T11:45:29.974249Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974254Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "66539655171ddff02d8134241c58a53de3faa6467db7be14131e04b99ef33cee", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "85c0cc41-8fab-590c-984f-dfcb0aff69c4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809787Z", "creation_date": "2026-03-23T11:45:31.809790Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809799Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5913062e399ea3ae003c55025eceed37270932168dc514f6ca7d03c87e5b804f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "85c40e2b-8884-5494-b52a-c654a7727055", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152059Z", "creation_date": "2026-03-23T11:45:31.152062Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152070Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "20e726f48bd86327c0e438667072983195c8140c50fe325598e343b5c8337e48", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "85d2ed07-85a8-591f-8beb-1b63a279f39b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977587Z", "creation_date": "2026-03-23T11:45:29.977589Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977594Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b5606dc2a76350916cd77348cfdfe502256d759a4743dd4af503d2f7f348eb70", "comment": "Vulnerable Kernel Driver (aka CorsairLLAccess64.sys) [https://www.loldrivers.io/drivers/a9d9cbb7-b5f6-4e74-97a5-29993263280e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "85d8a669-85ce-5232-a004-db477c3b7d51", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144107Z", "creation_date": "2026-03-23T11:45:31.144109Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144114Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "29e4972cbcdcff16e1dfa7bf57b046ecba8db445e987e436c303755faff61c89", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "85e21733-1f36-5c31-8c10-e43e51b18d92", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978721Z", "creation_date": "2026-03-23T11:45:29.978723Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978729Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f246b9d22b3ffe15f2e97f306d049020f38ed162150c97d7a72e3ae0b22c79ad", "comment": "Vulnerable Kernel Driver (aka PanIO.sys) [https://www.loldrivers.io/drivers/5f70bde4-9f81-44a8-9d3e-c6c7cf65bfae/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "85e3ab86-5a3d-50a2-a3e3-2d62d59446a2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156569Z", "creation_date": "2026-03-23T11:45:31.156571Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156576Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e2f3eaa8c165f2aabf97f24b14946b9a196317ee3082a26b82232bbab4bdba12", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "85e5a15d-d525-58ac-985f-f68251796e67", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480469Z", "creation_date": "2026-03-23T11:45:30.480472Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480477Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "edbb23e74562e98b849e5d0eefde3af056ec6e272802a04b61bebd12395754e5", "comment": "Vulnerable Kernel Driver (aka GtcKmdfBs.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "85ea8871-35a0-505f-9f4a-e0ca3acbf671", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.142611Z", "creation_date": "2026-03-23T11:45:32.142614Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.142620Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1cd219f58b249a2e4f86553bdd649c73785093e22c87170798dae90f193240af", "comment": "KingSoft Antivirus Security System Driver (aka ksapi64.sys and ksapi64_del.sys) [https://github.com/BlackSnufkin/BYOVD/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "85ee9ba9-6420-5989-8246-afb39bca62f5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146435Z", "creation_date": "2026-03-23T11:45:32.146437Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146442Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1a74c2bde0c9a76486657ccb9c79ea87c9891a32cdd4aa15c7542f7c9487a539", "comment": "Malicious Kernel Driver (aka driver_1a74c2bd.sys) [https://www.loldrivers.io/drivers/af153e7c-13fa-4a40-a095-00726ad6d783/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "85f4e67a-c2f9-5cb1-a105-c66d5690fc4f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.815897Z", "creation_date": "2026-03-23T11:45:30.815899Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.815905Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "65cf1a886b3e3ec8070bde31cb8e254cd623de1e8c7dd71248b84e6de77a08e6", "comment": "Vulnerable Kernel Driver (aka FPCIE2COM.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "86017052-d7f2-5138-b7b0-b4ca8d2ead61", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607724Z", "creation_date": "2026-03-23T11:45:29.607725Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607738Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "862d0ff27bb086145a33b9261142838651b0d2e1403be321145e197600eb5015", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "860e59bf-7bdf-5580-93bd-221822578e34", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454536Z", "creation_date": "2026-03-23T11:45:30.454539Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454548Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "84cec13cf0e77ec889e6e01a265a8a5507c6e7d8b0ad6e971f346d2514a758fe", "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "86138443-ba7c-5a09-8c22-7e5c255d6c97", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834186Z", "creation_date": "2026-03-23T11:45:30.834189Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834198Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d32a94e7f1d7ef2c5449dfbcd01274f8943fb506f41b29fad00d4db71e8dcd0a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "861eb644-e365-58aa-8c2c-1b969b2448a6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140381Z", "creation_date": "2026-03-23T11:45:31.140383Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140389Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9947a8428d025a046e5d9d8802d9a1884ddb324c52653abeffc1f501195b6931", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "86266002-a6d6-5ddd-86d1-fb04af9c9c98", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153596Z", "creation_date": "2026-03-23T11:45:31.153598Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153603Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f198254936c2675e7137733f1f927da705f7535e401fa6d87be14bd6d57fa46f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "862a2e41-bc36-59ea-8c4e-a7c9eafafde6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967177Z", "creation_date": "2026-03-23T11:45:29.967181Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967190Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2b03a8bad9ecfcacc8e8a21ee310ce359e1382d7a5d5ce5284b32ecc2bcc4b8a", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "862b710a-71ec-5732-8ce5-f786dfb875d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812635Z", "creation_date": "2026-03-23T11:45:31.812638Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812652Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a683ab7ebe5f4ac157908267f80123d548e1b273cea57e2485ec8ddc81820085", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "86309dca-5932-52b4-9555-a809c55a3615", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479603Z", "creation_date": "2026-03-23T11:45:31.479607Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479617Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c9564153321652f89ce43a81efe351be6eb3a8f84e7b02f8c2162f2f297b6b18", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "863af704-e2b0-5ba6-a603-f42f06d519e6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481442Z", "creation_date": "2026-03-23T11:45:30.481445Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481454Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d6cb3418c1a512aef6b15586bf5234689d4e471e854103a72d80a8597d263403", "comment": "Vulnerable Kernel Driver (aka phymem_ext64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8663209f-cc28-5174-8de6-339b60246770", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835859Z", "creation_date": "2026-03-23T11:45:30.835861Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835867Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "14d0649d4833f904071a57baea3184dcb289e28661fb95cd532fa2f7440e3cc1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8663bc9f-bf28-524b-a8ba-00115f5114ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985485Z", "creation_date": "2026-03-23T11:45:29.985487Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985492Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c", "comment": "Malicious BlackCat/ALPHV Ransomware Rootkit (aka dkrTK.sys) [https://www.virustotal.com/gui/file/56066ed07bad3b5c1474e8fae5ee2543d17d7977369b34450bd0775517e3b25c/details] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8668aa98-3053-5d57-837c-e6a931bf0ee8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494986Z", "creation_date": "2026-03-23T11:45:31.494988Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494994Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "87bcb6d213e862ffe9afd24a6417b02ccfd6a66808b130c803a7e1fa69eae2f7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "866f0ebd-2c0e-5a35-af58-8d3f6bbc3bc0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820618Z", "creation_date": "2026-03-23T11:45:31.820621Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820629Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0c4195b9e85d718e9ca5b53230be30020e457e4424327ebdd51aa48661c91350", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "86814cc3-188e-5d33-bdb7-e9150a679935", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479161Z", "creation_date": "2026-03-23T11:45:30.479163Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479170Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "516f0bbbc1b47ec2d83cc51be104920899193e2784a45b835fe68f864af1733b", "comment": "Vulnerable Kernel Driver (aka rtkiow8x64.sys ) [https://www.loldrivers.io/drivers/998ed67c-9c20-46ef-a6ba-abc606b540b9/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "86a08d35-5419-55f3-9bdd-733700b46825", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488361Z", "creation_date": "2026-03-23T11:45:31.488363Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488369Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7e8a739fc928c76d792810c86641de94d9cc3ceb6a65576c6579c22d5775db51", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "86a142ca-6882-5595-aa3f-afe6ff9e6072", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490523Z", "creation_date": "2026-03-23T11:45:31.490525Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490530Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "59e7ecb67e77d91f11e3ec07eef716cb99543f5715102423a1c9812fd97fac28", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "86a5eac9-3d44-5138-b12d-b59bb3276835", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485707Z", "creation_date": "2026-03-23T11:45:31.485711Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485721Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dea05ba6d07c03fad203e2016f522a323ac69ddf7dd951bb675006a0711277d6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "86a68632-bbb9-5f36-9e66-77360cf1dc5d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.496074Z", "creation_date": "2026-03-23T11:45:31.496076Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.496081Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2af1c26840590e3bddf622705cf2557a4781b1ac195de1df8e5ff7261ce8a6c6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "86bf9e70-aef7-5365-b648-88e4e60814ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461554Z", "creation_date": "2026-03-23T11:45:30.461557Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461566Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "12a636449a491ef3dc8688c5d25be9ebf785874f9c4573667eefd42139201aa4", "comment": "Vulnerable Kernel Driver (aka netfilterdrv.sys) [https://www.loldrivers.io/drivers/f1dcb0e4-aa53-4e62-ab09-fb7b4a356916/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "86da8630-6524-55f6-86fa-3119d2d857dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142558Z", "creation_date": "2026-03-23T11:45:31.142560Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142566Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee94d33ba5d7718c87023e96dc6e263e0820fbf798168273f7f9266ab9f5aef8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "86e70f28-6163-5a96-bf9c-3ba205918805", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494763Z", "creation_date": "2026-03-23T11:45:31.494765Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494770Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "727fe503800e3cc91f21bf08ab6da107804f37ea295bb72fafb5387d0030f204", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "86f02377-977d-5867-ad8e-89c9208aacc8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.986049Z", "creation_date": "2026-03-23T11:45:29.986051Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.986056Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "22074c412bb82bd97768eba0cb40e451d75d969e94d0548af804aafc04ca02fd", "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "86f2e6f9-dbd8-5a81-9b75-8839936abaf2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814439Z", "creation_date": "2026-03-23T11:45:31.814442Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814451Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "05159d9a44a7b169ca8f314627a003203646244d05362de69b1f36b814fe2224", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "870746e4-b59d-5cce-a633-caa4e4f31a57", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969168Z", "creation_date": "2026-03-23T11:45:29.969170Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969176Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "65008817eb97635826a8708a6411d7b50f762bab81304e457119d669382944c3", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "870dc787-9aab-547d-ab44-81b337d5d5ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483720Z", "creation_date": "2026-03-23T11:45:31.483724Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483734Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c6c44bb8ee72f922baa6acb2ad626177d51c82f9f6594c372b51ae16a99e4d4c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "871f8463-4024-558e-a089-c300e2bdf0b1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832261Z", "creation_date": "2026-03-23T11:45:30.832263Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832268Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e81facaffce754a2c9ecfa49aba81b236b229c682f1d284edd044ba936815285", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "871fc288-415a-5568-af82-ce0822f38b0b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820702Z", "creation_date": "2026-03-23T11:45:30.820704Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820710Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bc453d428fc224960fa8cbbaf90c86ce9b4c8c30916ad56e525ab19b6516424e", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8722a1ae-2be3-511f-bc09-07ad73d2dc6c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612717Z", "creation_date": "2026-03-23T11:45:29.612719Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612725Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8926be6aa6df3b5d20483e0e698ea14fa0fb760844468ed69143d7f503250349", "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8733836e-a6ed-5f67-8ca0-9e5eb40fb68e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982853Z", "creation_date": "2026-03-23T11:45:29.982855Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982860Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9d530642aeb6524691d06b9e02a84e3487c9cdd86c264b105035d925c984823a", "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "873e8945-3a91-5ec4-83da-e1238bdc3650", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460207Z", "creation_date": "2026-03-23T11:45:30.460210Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460219Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5de78cf5f0b1b09e7145db84e91a2223c3ed4d83cceb3ef073c068cf88b9d444", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "874c16a7-3914-5668-8bfa-015b85f40d08", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156843Z", "creation_date": "2026-03-23T11:45:31.156845Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156850Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "84af161109a74a85355f6f87e64b280950bd9bd60444f83a2915aa760b6090a5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "874e684a-ab3d-5b7f-bd88-280ca38e55e3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971784Z", "creation_date": "2026-03-23T11:45:29.971786Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971792Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c7ba2720675aada538c47fa9e8950a81b6df23f63fa181680e6232651abffbef", "comment": "PowerTool Hacktool malicious driver (aka kEvP64.sys) [https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HackTool.Win64.ToolPow.A/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "875a76c4-c07c-5059-a970-87c73778c0f1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481164Z", "creation_date": "2026-03-23T11:45:31.481169Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481178Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f27ae0329768838beaeed1dfcc5e9b29f43b930019cb99ab1a634f79f404c1ba", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "875c3f83-d5c3-500b-a04b-444c6511395a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816906Z", "creation_date": "2026-03-23T11:45:31.816910Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816918Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1d5efd09cae59c8377f6faa0b6563c8e7e362d5b0e010bcee1af9fde5862742c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "875e1e1c-58c1-5c0b-b4d0-6898d13ece60", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485737Z", "creation_date": "2026-03-23T11:45:31.485741Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485751Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b067710a04f656914df1c39ece3db3a1ff33e25be0938ac4ac5beb609c7c25fd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8765bbe7-d01c-5d0c-a550-5eaffb8d695a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144466Z", "creation_date": "2026-03-23T11:45:32.144468Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144474Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a4c0e1bf3b397ebe5105a15dce686d7a171e01d5d4af32d67a8974de55afdf19", "comment": "Vulnerable Kernel Driver (aka ProcObsrvesx.sys) [https://www.loldrivers.io/drivers/8a1a4a5d-3e41-4539-80cd-0cb751f7fab3/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "876a4c04-1093-5fb7-836a-867042eb9ce6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476243Z", "creation_date": "2026-03-23T11:45:31.476247Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476257Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bc2aacf2a7b4759dc416c62215ec054bb5be0578758bf50af6bee4518aaf2da7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "876cf23b-2226-5765-8990-6b5079cac3a9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474513Z", "creation_date": "2026-03-23T11:45:31.474517Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474528Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6a0b6d3d6f5b0060b7b726aba2be928195eac02d9578bcb7bf0720f1253ea5d0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "87789c69-186d-55a7-a4eb-d32519aa3a42", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143779Z", "creation_date": "2026-03-23T11:45:32.143781Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143787Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "52b1c4667ef36a02a0e6d7f147b8d4bc0e30645e6c88bd2984e53abc693bc18e", "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "87795b7a-f8f5-5a41-a1c3-d04dcb8c2299", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831420Z", "creation_date": "2026-03-23T11:45:30.831422Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831428Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5a3114c8a786568a23ac21ae9199a46a87a55e9682e918b0592f8f9fbcb148f8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "877c8c2d-b1de-5e45-815a-f03f22f84101", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142862Z", "creation_date": "2026-03-23T11:45:31.142864Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142881Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d831b59f2940fbe46b818dd685e80930f034b760efad477aa51d55ab67259ac3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8785b208-9372-502a-804f-27e88a73e044", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487106Z", "creation_date": "2026-03-23T11:45:31.487108Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487114Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c8b755be6751be0ece9e353495220ab5fa3d8f3ea217062a3c74d247e47d07dd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "878b928a-0010-50a6-891f-c4f767faec7b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466468Z", "creation_date": "2026-03-23T11:45:30.466471Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466480Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4b97d63ebdeda6941bb8cef5e94741c6cca75237ca830561f2262034805f0919", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "879b44d9-3e6a-50f0-93df-28fe5327a965", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474615Z", "creation_date": "2026-03-23T11:45:31.474619Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474630Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ef5e7e4937163d52f8bbee079c2b72b8f614e7410e2d39fd2ac099e26ad210b6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "87a72ab2-2350-56bd-a439-a8a3c215d1f4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142808Z", "creation_date": "2026-03-23T11:45:31.142810Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142816Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "381ae5f7cace085a6bd7d5eb084e05743195ff7a2c118f7dca7863b56e1e6c0f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "87b58a57-1f60-56a9-b382-a745c2279d22", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464543Z", "creation_date": "2026-03-23T11:45:30.464546Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464555Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "31b66a57fae0cc28a6a236d72a35c8b6244f997e700f9464f9cbf800dbf8bee6", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "87c94aad-c20e-529c-a314-40d6a61b4276", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499828Z", "creation_date": "2026-03-23T11:45:31.499831Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499840Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b8f58bf2b14479b8ec6411cae7fd49b723ec191c9037d23266311ef3561c35c3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "87d2abd8-6bec-5761-9862-0742798dfc3d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830223Z", "creation_date": "2026-03-23T11:45:30.830225Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830230Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "372f0918c7aeba23adbeefcea069a62712c16ce6738fb92905e29c00abf29b6c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "87e00e7f-59e8-5dd2-95fb-371a52f4ac09", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976052Z", "creation_date": "2026-03-23T11:45:29.976056Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976064Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d68410930319a6abf445708b9f7df300289cf9e52489f1701db76116f1ebd6a", "comment": "SystemInformer driver (aka systeminformer.sys, formerly known as kprocesshacker.sys) [https://github.com/winsiderss/systeminformer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "87e3903a-c7ba-5ce5-9cfe-5b71eec930ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811152Z", "creation_date": "2026-03-23T11:45:31.811154Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811159Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "61016707e83776e6e9f5f3468982e3e7c1761d598f73144ae10c7e1bdeb4a5b5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "87fd30f0-908e-5f53-a463-dc05fb640735", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618254Z", "creation_date": "2026-03-23T11:45:29.618256Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618261Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b715d5682ab59a0ce3f858e47bf79bdf876a899f618c12c22b27cb1dd4daa8f4", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "880bf845-0725-55c6-a5bf-58ed08063a5a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487773Z", "creation_date": "2026-03-23T11:45:31.487775Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487780Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "648e9acdbcf02ddcc157bbd5c3f85e2126e6f3e960f64477a3cb215c9fb59598", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "881d66cd-13e6-5bd6-b17f-63221ead8ec1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813703Z", "creation_date": "2026-03-23T11:45:31.813705Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813711Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2138aada6d7a26cdcdc2781d52228e844866676523a402f2bdd091623e3cea43", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "88209b59-0823-52df-b02f-688d462fa5a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829522Z", "creation_date": "2026-03-23T11:45:31.829524Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829530Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c0548e6b0f2d752bb4bd37f3afc8309f5df03adb0c4d21a21f779212b09a1c1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8828ff5b-525c-58e4-a444-81aad999aec5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811787Z", "creation_date": "2026-03-23T11:45:31.811791Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811799Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d19d90002cf6cf5dcfb3bec1c26c8ca3513e8125cac6e6a260270648c657008d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "882b217e-1f68-535e-8f21-159da5e00e42", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984693Z", "creation_date": "2026-03-23T11:45:29.984695Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984701Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd09931d050a354b34731621191795483930bb5f00aa6fba5bb849ea2c89224c", "comment": "Vulnerable Kernel Driver (aka VBoxUSB.Sys) [https://www.loldrivers.io/drivers/5938df1d-9513-449f-8252-c442ddca0c2a/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "882e1aee-45ef-5e83-89a6-1c894eba1534", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609650Z", "creation_date": "2026-03-23T11:45:29.609652Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609657Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6c7120e40fc850e4715058b233f5ad4527d1084a909114fd6a36b7b7573c4a44", "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8830abbd-8d78-5d8e-991c-660edc6ff5f6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472214Z", "creation_date": "2026-03-23T11:45:30.472218Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472227Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6001c6acae09d2a91f8773bbdfd52654c99bc672a9756dc4cb53dc2e3efeb097", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8837c645-02a1-5790-910a-45ce28fba910", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479901Z", "creation_date": "2026-03-23T11:45:30.479903Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479908Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6b3196a346973837242d92f3a0ff7bdc2485075d51de0b53650e4ef7348c7a83", "comment": "Vulnerable NVIDIA Kernel Driver (aka nvoclock.sys) [https://github.com/zer0condition/NVDrv] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "88453b33-0d34-5242-9680-aab402878ac4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.158859Z", "creation_date": "2026-03-23T11:45:31.158861Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.158867Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e0f1aad657bb2576b5d110e698954fbcb5e7cbecea7811df2c66ef949e06afa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "884cd8f0-411f-59d2-b1b7-689892e04a4b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831639Z", "creation_date": "2026-03-23T11:45:30.831641Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831647Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0a418bce19620d466f516956279ac4072de1391ce704558317ad6b78146fff86", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "88570ad1-2377-5dec-8b7a-2d997d6f8c9f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819598Z", "creation_date": "2026-03-23T11:45:31.819601Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819610Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "936131f90127991c8cc5bbadbd26016fbe148f0e9d039a5b40c5cedc19d6edf6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8859a137-3533-54bb-b847-9b2931451e98", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825549Z", "creation_date": "2026-03-23T11:45:31.825552Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825561Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "de08dfc173672c79e55af09e5bf86f5d9cb6968a9bb77457e689f629642f1b18", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "885d54e3-ed28-5275-b557-250956736422", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153840Z", "creation_date": "2026-03-23T11:45:31.153842Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153848Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "44899bc99bd4383c35fe36b6563509c1d4e9eca92b05378ee7b68eb1e0f7ac96", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "885f5aed-0869-59e5-b9ec-8a95e2e786a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462699Z", "creation_date": "2026-03-23T11:45:30.462710Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462719Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9e56e96df36237e65b3d7dbc490afdc826215158f6278cd579c576c4b455b392", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "886072b0-2957-594b-a14a-378352224ace", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827802Z", "creation_date": "2026-03-23T11:45:31.827805Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827812Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "22d99dea02cef171a259514d5df1c7ad8bec039efa524adde6d8baf26c809945", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "886b6f9e-b4a0-5043-ad32-21f2f8486101", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157512Z", "creation_date": "2026-03-23T11:45:31.157514Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157519Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9809b818ed8be17eb1df23699a3e56cc4ef2285d451110933790ef37cb2a193c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "886b904c-1b22-526f-a425-3ca94e908dbf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145291Z", "creation_date": "2026-03-23T11:45:32.145295Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145302Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8e681ed97f08f8dc269c85b75160a508e59ba3045ddb14f99d64dd767dc556ba", "comment": "Malicious Kernel Driver (aka driver_77225a99.sys) [https://www.loldrivers.io/drivers/5fb86651-c152-404a-9a2f-0f54b0d2bb55/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "886f8a99-caa8-5a18-b353-0accdeb04181", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834326Z", "creation_date": "2026-03-23T11:45:30.834329Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834338Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd0d5cfc979656771528d3b0b06176198ea6db6dce738a75a2a1104ec7d79adf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "88750238-1419-5a83-a6fc-0908e9044de7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826549Z", "creation_date": "2026-03-23T11:45:30.826551Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826557Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ad53841b2f9e90005057b3c436060baa8d2031f8c0e2dc43144452fa8c6d63b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "88771e57-58bb-5fe1-ac07-e0c0eaae184c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.815708Z", "creation_date": "2026-03-23T11:45:30.815710Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.815716Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "be62ed235421930c84ce9c7789f3beb6b7a48a6bca9065063b7ce78effde1db2", "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "887e1105-555e-5987-9c6d-e58bd375dc63", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817053Z", "creation_date": "2026-03-23T11:45:30.817055Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817060Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "81d54ebef1716e195955046ffded498a5a7e325bf83e7847893aa3b0b3776d05", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8882eb4f-8a08-5d0a-9236-595dae04cca7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974299Z", "creation_date": "2026-03-23T11:45:29.974301Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974306Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3ed3d54fb8222d861785f0d7e71d6223278fbf4d0baa335a54813087d7c3674e", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "888a5efc-afe3-5771-aa34-3fb59335367d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622491Z", "creation_date": "2026-03-23T11:45:29.622493Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622499Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e3b257357be41a18319332df7023c4407e2b93ac4c9e0c6754032e29f3763eac", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "88aae4ce-8e46-53d9-8189-d07f835d6578", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823359Z", "creation_date": "2026-03-23T11:45:30.823365Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823375Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "891ad430e7f1d58ef85b437505a6016fa99a72abcfd4734476efc5fc1fcd1cba", "comment": "Vulnerable Adlice Software Truesight/RogueKiller AntiMalware Driver (aka truesight.sys) [https://github.com/ph4nt0mbyt3/Darkside] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "88bad8d1-2aa9-5ef7-8ae4-5dad7748abf8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820894Z", "creation_date": "2026-03-23T11:45:30.820896Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820901Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "37d999df20c1a0b8ffaef9484c213a97b9987ed308b4ba07316a6013fbd31c60", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "88c1d35b-2a83-56c9-8320-2afc9bc424cd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985304Z", "creation_date": "2026-03-23T11:45:29.985306Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985311Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3243aab18e273a9b9c4280a57aecef278e10bfff19abb260d7a7820e41739099", "comment": "Dangerous Physmem Kernel Driver (aka Se64a.Sys) [https://www.loldrivers.io/drivers/d819bee2-3bff-481f-a301-acc3d1f5fe58/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "88c86f6d-8a0b-52ea-a2aa-62fc24430ccc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156073Z", "creation_date": "2026-03-23T11:45:31.156075Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156081Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bc8f9bb57eea8ab776ae7391505ffb5fdb7858d81270b97eac40cd7acdf81877", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "88cd7ef8-9495-5684-aa6b-681251781c96", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493143Z", "creation_date": "2026-03-23T11:45:31.493146Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493155Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a8480b44d50421c9ec4cfa00590bc48ca68527e821cc3d7e71860b491e30a41b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "88cfffe3-8b2d-5342-90d8-a4ebc453933a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492467Z", "creation_date": "2026-03-23T11:45:31.492469Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492474Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5baedc54ef0f89578724cbd3ebe5d6c38c2c5795f6cd21e65e575f6a91ead007", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "88d6e481-c171-5d3a-9281-935afca0df92", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618887Z", "creation_date": "2026-03-23T11:45:29.618889Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618894Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cbb8239a765bf5b2c1b6a5c8832d2cab8fef5deacadfb65d8ed43ef56d291ab6", "comment": "Vulnerable Kernel Driver (aka amp.sys) [https://www.loldrivers.io/drivers/ca768fc5-9b5c-4ced-90ab-fd6be9a70199/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "88e5f198-b107-579e-a5e4-d97baf71c799", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475446Z", "creation_date": "2026-03-23T11:45:30.475449Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475459Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "42ff11ddb46dfe5fa895e7babf88ee27790cde53a9139fc384346a89e802a327", "comment": "Malicious Kernel Driver (aka a26363e7b02b13f2b8d697abb90cd5c3.sys) [https://www.loldrivers.io/drivers/ef6b5fe8-6c4b-4b32-8adc-c1d8a83e8558/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "88ee419a-6dfb-573a-b316-977b6085be0b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.478475Z", "creation_date": "2026-03-23T11:45:31.478491Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.478514Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "43a059aae1238eb3a19fd1ee7a7c9ef3ddfe903bab91c377b4e44238010b4b7f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "88f5eb26-4477-5a52-99c0-8509e0d33537", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605647Z", "creation_date": "2026-03-23T11:45:29.605649Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605654Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6e944ae1bfe43a8a7cd2ea65e518a30172ce8f31223bdfd39701b2cb41d8a9e7", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "88faca8b-0bd8-52ab-8b66-794997efe566", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475251Z", "creation_date": "2026-03-23T11:45:31.475255Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475264Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b89b1e137d6bdac313585b007d5d063d8a5c7864b42017d8d1a7188d6b1276d8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "88fd5d44-19da-537e-b0af-1953bc63e9b5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820231Z", "creation_date": "2026-03-23T11:45:30.820232Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820238Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "73664268a737d071f2c3c67503002db08432953f14771317835b6f080d3daeff", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "890a040d-13d9-583a-b30d-a90821109f33", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618603Z", "creation_date": "2026-03-23T11:45:29.618605Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618610Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cc041a5c21339d62c9ea05215c2c42697f73a3820c83133eb6c6fa574a095384", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "89122970-562e-5a50-bb3a-e07fc760d058", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610141Z", "creation_date": "2026-03-23T11:45:29.610143Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610149Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "45c3d607cb57a1714c1c604a25cbadf2779f4734855d0e43aa394073b6966b26", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "89237bd7-2fc4-5256-bca6-fb30fb8c6b1a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467678Z", "creation_date": "2026-03-23T11:45:30.467681Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467690Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "63e9918f94a1ae5d71e8972f49bfbce13d8b1774b7237b022f182f03cc9ce715", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "892a5e6f-133a-5067-8c1c-f552f00b5b47", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485978Z", "creation_date": "2026-03-23T11:45:31.485982Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485992Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ba874cc6574578d137caea35cd8e2133ed9d5ad55fb16701dd3d4be74cff9468", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8940aa3e-12ac-5608-ad60-0cc75913fc40", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972843Z", "creation_date": "2026-03-23T11:45:29.972846Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972851Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "56e8b8d21317d58abd8399b276ee800c62a53e864cd3553899e33b8616ef07a6", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8945d603-a254-516a-9d54-b613645f43dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969221Z", "creation_date": "2026-03-23T11:45:29.969223Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969228Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a2f45d95d54f4e110b577e621fefa0483fa0e3dcca14c500c298fb9209e491c1", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "89483c03-249d-5141-b24c-f8319bbfa2c9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834106Z", "creation_date": "2026-03-23T11:45:30.834109Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834117Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0b783875f123bec0082eabd4fc235f4790337b044fd7c72993ab5f118c16fb04", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "895478af-e180-58ff-bc17-7e47393c44c8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147130Z", "creation_date": "2026-03-23T11:45:31.147132Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147137Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "21cd1c9f9966b068dcc2eb4e474051a6bd7bbee40b0d034f86a45829f34cc6bc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "895b48b0-1d09-5bf9-82e6-cf4e757ac4dc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622599Z", "creation_date": "2026-03-23T11:45:29.622601Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622606Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2b186926ed815d87eaf72759a69095a11274f5d13c33b8cc2b8700a1f020be1d", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "89604d9c-4223-5668-88f3-d77bff91f14e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497753Z", "creation_date": "2026-03-23T11:45:31.497757Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497765Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "147ceda2d23bc576729003070127b1c0fa57d2c5a2e3f52ad7358b1f8c157f9d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "896c2171-3a9a-5785-8dc8-f58deffd9594", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494529Z", "creation_date": "2026-03-23T11:45:31.494531Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494536Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "056b87911f8f7d15bbe242c3b4625bb4cbe98695a38d05c10f3bc3df8de23693", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8972a31a-1295-570b-8dc8-3aba93c6f1c8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160755Z", "creation_date": "2026-03-23T11:45:31.160757Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160762Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9e3120166146e5c1c0a0d07ef87fdde6356946e384b9c3ab575449f945430814", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "897c40a0-2f11-51a5-9f6c-a5116648db99", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481239Z", "creation_date": "2026-03-23T11:45:30.481241Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481246Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8866f6e762dd7dea58c9e9486da53d716f3ae61048a8a10f8033b60fb5028914", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "898d7ef2-6af5-5ac2-9d92-6e3b6eb77455", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480580Z", "creation_date": "2026-03-23T11:45:30.480581Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480587Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5df689a62003d26df4aefbaed41ec1205abbf3a2e18e1f1d51b97711e8fcdf00", "comment": "Vulnerable Kernel Driver (aka PDFWKRNL.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "899041eb-34cf-5965-8308-192eca166540", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478513Z", "creation_date": "2026-03-23T11:45:30.478516Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478525Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ef8c776a6acd4fd360b22e7d053bba961d687c36ec4fcc0b3e2ff1ef7be967e", "comment": "Vulnerable Kernel Driver (aka vboxdrv.sys) [https://www.loldrivers.io/drivers/2da3a276-9e38-4ee6-903d-d15f7c355e7c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "89b3dbda-7785-578e-a386-5402b0303e86", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829771Z", "creation_date": "2026-03-23T11:45:30.829774Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829779Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "de88b28e2b2a4a6a2aebd0d36a843c7dace17d4d084e0171457f15ace72c69ef", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "89c0f68c-7fcb-5331-9d68-68e0adced549", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831018Z", "creation_date": "2026-03-23T11:45:30.831020Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831026Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0b40e38733389d14ff29c73c08be4651f09b111e670cca1574961ff35bbbb93c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "89c541d7-99a3-57cf-b501-544b4244c894", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473719Z", "creation_date": "2026-03-23T11:45:30.473722Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473731Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "08b5f31070e370fbbf4f6e9a99c594c6e33846c82a56c773116705eda3109b62", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "89c72da7-41a0-5396-9bb5-954e3ea8aaa5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160239Z", "creation_date": "2026-03-23T11:45:31.160241Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160247Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a80c261e4dc630c0b8d52eff151b6773eb533b9238163b1e84d9b0c2a8f3d386", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "89c7933e-886d-5123-9a1f-358c0ab0de39", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979168Z", "creation_date": "2026-03-23T11:45:29.979170Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979176Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "98a55dc61046f4509d2465cbc373a9391c07125e5f4a242d2f475f14f32e5430", "comment": "Vulnerable Kernel Driver (aka elrawdsk.sys) [https://www.loldrivers.io/drivers/205721b7-b83b-414a-b4b5-8bacb4a37777/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "89c93e0e-0e92-5af5-b8f0-a297a779ee5c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472637Z", "creation_date": "2026-03-23T11:45:31.472641Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472649Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "273d62b62ee2470aed571001f0385341ba2b1bcbe035a8395870c468def80daa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "89f9408f-7386-57ce-af81-d4c1bb0efa43", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479764Z", "creation_date": "2026-03-23T11:45:31.479768Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479778Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c149713a1c40a9cb2cbbd5846eefffa0784a07a80bf56c2138865aaa9fba4d6d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8a0a9d9e-505c-54fd-9867-65a9ee49dcac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823016Z", "creation_date": "2026-03-23T11:45:30.823018Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823023Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "096e1641d26aa971dabc7de17c0259d3aa922091e38928ba7847e4ead64b7f41", "comment": "Vulnerable Kernel Driver (aka SysInfoDetectorX64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8a0b331e-b806-56e3-aecd-b7dfe55bbf3b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498911Z", "creation_date": "2026-03-23T11:45:31.498914Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498922Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "de5287a3a9d675859bda7b5c6a9a6877f9065068e7949f0cfcbb353426afcb9e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8a128f54-7502-50e9-9dd8-b750f196d90d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483816Z", "creation_date": "2026-03-23T11:45:31.483820Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483830Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "26407df9f689b6dfed3be1bf1c617fdc6f75608b0c9cfc8b214db284c3aa6b8f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8a26649e-8f69-5d39-b33e-04536a061794", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160136Z", "creation_date": "2026-03-23T11:45:31.160138Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160143Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e7933b183cc69a05911e9612d3e3b1f743d3f666c548cacb6d3cf8699a6f0ebb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8a2ebcd9-f8ba-5958-ae84-9fbbd2339601", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605825Z", "creation_date": "2026-03-23T11:45:29.605827Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605833Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d1e5ca66ead46af21b7efb2229ad2901cc0017824e811990de8e5098696ae36a", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8a3e90db-b3b0-5e24-bf49-463a461ea9cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810540Z", "creation_date": "2026-03-23T11:45:31.810542Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810547Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0d6b6eec472134d99daf1c14a0104e87a5b269f529467abba9a5429228149995", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8a504a5f-4195-5ae1-9e3a-beabad199a55", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819036Z", "creation_date": "2026-03-23T11:45:30.819038Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819044Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "88188ebb2dd61397d816274645cce6044489675a52d835faf518b2d137e0604c", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8a5247bc-836d-5869-86ad-d85ce0c8d123", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614805Z", "creation_date": "2026-03-23T11:45:29.614807Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614812Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a961f5939088238d76757669a9a81905e33f247c9c635b908daac146ae063499", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8a548938-e7ea-57f5-a7d3-7f2361fa98ad", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820490Z", "creation_date": "2026-03-23T11:45:31.820493Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820500Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6bec424bd6775c3ebc57fe1c6fe1d280e3f82d5b104eec2a75771bdfdff99148", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8a5ff61e-9eab-56df-8e94-dd96c61ebfed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457306Z", "creation_date": "2026-03-23T11:45:30.457310Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457319Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3ee89c1e8738d465d241630ccca4ce218afc02421461e6de91e4dc8133e9501c", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8a635413-e89c-58fc-9d02-d1950fb34df0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613101Z", "creation_date": "2026-03-23T11:45:29.613103Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613108Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b9a4e40a5d80fedd1037eaed958f9f9efed41eb01ada73d51b5dcd86e27e0cbf", "comment": "ASUS vulnerable UEFI Update Driver (aka AsUpIO64.sys and GVCIDrv64.sys) [https://codeinsecurity.wordpress.com/2016/06/12/asus-uefi-update-driver-physical-memory-readwrite/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8a7601fe-2e2b-55ca-a611-56aeb43c5c39", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829838Z", "creation_date": "2026-03-23T11:45:31.829841Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829850Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "69963e7c2ac52f1d796e40f9907056f574a93c973371e735e9d8436c7be9c565", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8a84ec23-4eaa-56e3-bb1d-dfd46932604c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808358Z", "creation_date": "2026-03-23T11:45:31.808360Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808366Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "39eb433dcde3f3852be94f1cf39f125fdffdea0aaada2ff11d8b6004f518f22c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8a88477f-20e6-5e32-937f-d16992068a3b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.161038Z", "creation_date": "2026-03-23T11:45:31.161041Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.161046Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "26f46b7d452c0ec33e6bbfd1a4d8a5cf5cf1192163cd9bdff14fc2fec9168033", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8a8caf00-804c-550a-b509-3be504ca5c73", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825577Z", "creation_date": "2026-03-23T11:45:30.825579Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825584Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "695b606b4b9ee6b825c57d4c6f869a9c076dc413301ef615f15b11dba5257320", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8a8e0035-65ca-5687-a767-93737a9ccae0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828204Z", "creation_date": "2026-03-23T11:45:30.828206Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828211Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f882326961c4ec155a5b2b049bb663a75732e77073562bc17d98fab8368e4c1a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8a92efbb-6a3b-52b5-af3f-f3bc92866646", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480598Z", "creation_date": "2026-03-23T11:45:30.480600Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480605Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6945077a6846af3e4e2f6a2f533702f57e993c5b156b6965a552d6a5d63b7402", "comment": "Vulnerable Kernel Driver (aka PDFWKRNL.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8a94391d-4bbf-5088-ae88-b0e45473c4f0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.815669Z", "creation_date": "2026-03-23T11:45:30.815672Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.815677Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "da5e27b18d3c1403975a8e17431242f208621348264ebe770db8b07813a1a0f8", "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8a960e0b-d246-5b2a-9ac1-644b51975102", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.142921Z", "creation_date": "2026-03-23T11:45:32.142923Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.142929Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2d345b048fabc9d2013358fb20fca0eb441909129f1d81965eadad8c7f812886", "comment": "Vulnerable Filseclab Driver (aka fildds.sys, filnk.sys and filwfp.sys) [https://twitter.com/SophosXOps/status/1764933865574207677] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8a982306-2b98-5ef4-8cde-8bbac05ae82c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826567Z", "creation_date": "2026-03-23T11:45:30.826569Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826575Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9fb3ff6c62c48b9b2e81317be4d68d8bed5d81e28ce14ea51f6a2feeabee1458", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8aa5015c-7ecc-5b39-a5dd-72ab623e96f9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821485Z", "creation_date": "2026-03-23T11:45:31.821487Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821493Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0e314f9d7da2710735c800b07a22e309f795afce2de1f71a36e252b2ab71dad1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ab390eb-3266-5060-a812-1fedad7c53a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147006Z", "creation_date": "2026-03-23T11:45:31.147008Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147014Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d75cfd37fa1c5c4f59f7873265d2874859b510ce59c311303ffe0dd918c55689", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ab84a51-526e-5bef-ad9f-90c4d3cdd0fa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480713Z", "creation_date": "2026-03-23T11:45:30.480715Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480721Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "39f137083e6c0200543e1f8d3c074f857d141bdb8c8f09338d48520537b881aa", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8aba0632-aa62-595e-9c0f-77d782dbc127", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819209Z", "creation_date": "2026-03-23T11:45:31.819211Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819216Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6e4d6ea7cdee57d72c81b114251868973ac2e5926231851daf1caecb3e5b15ae", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8abd4ca2-6da4-5396-ac1c-fff03b867b9f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816165Z", "creation_date": "2026-03-23T11:45:31.816169Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816176Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c0856107633a46e065859058d26e23eea2aa4453bad323f48a0bf62af6acaa9e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8abe0a85-0703-5bcc-9d98-d234f28de712", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465922Z", "creation_date": "2026-03-23T11:45:30.465925Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465934Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c7cd14c71bcac5420872c3d825ff6d4be6a86f3d6a8a584f1a756541efff858e", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ac01645-6457-5d22-a393-5944070dd3c5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606830Z", "creation_date": "2026-03-23T11:45:29.606832Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606837Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab5324c992c7547020f85de3456516e0dba2c3c5aab10371723a96188354abaf", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ac7d3aa-f903-5b09-8dc7-f138725e5e70", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492373Z", "creation_date": "2026-03-23T11:45:31.492375Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492380Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2d94f2972957609972a179181b481a4bbe87dc9d8853444f10e3819c1919cc80", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ac8c0f3-b99d-5301-989d-08bad2a206ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143559Z", "creation_date": "2026-03-23T11:45:32.143561Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143566Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff55c1f308a5694eb66a3e9ba326266c826c5341c44958831a7a59a23ed5ecc8", "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ad313a7-b2b4-5487-a45a-8353c5644239", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827434Z", "creation_date": "2026-03-23T11:45:30.827436Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827441Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "30f2147f48858f5aeaf2358a439e2467e47a9b4a57ccb72e0d4bb58d5cdecad9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ada037c-3088-5bec-9956-e56969017d89", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613118Z", "creation_date": "2026-03-23T11:45:29.613120Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613126Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f85784fa8e7a7ec86cb3fe76435802f6bb82256e1824ed7b5d61bf075f054573", "comment": "ASUS vulnerable UEFI Update Driver (aka AsUpIO64.sys and GVCIDrv64.sys) [https://codeinsecurity.wordpress.com/2016/06/12/asus-uefi-update-driver-physical-memory-readwrite/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8adc5bf7-282f-581a-b1ec-7622aac46407", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815366Z", "creation_date": "2026-03-23T11:45:31.815368Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815374Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cac2b6e639f3ab5b42d228b161029c913284e7f41125783a96b2d6a71be507e2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8adda29f-0bf5-5939-92b2-555af963cbce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815960Z", "creation_date": "2026-03-23T11:45:31.815964Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815970Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0d58d5b56dcfd39a9970384520386a56e2a0a4fdbbccfb6706cebffabe97ac54", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ade8aa3-d152-5bac-8bbc-a4f4c31bdb99", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483095Z", "creation_date": "2026-03-23T11:45:31.483099Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483109Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e57d77d3948703c9efba0b62151548cae781a708c517e20060a48caa3960a354", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ae8a1c5-18ab-5be0-8b68-729a5eb2802e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815160Z", "creation_date": "2026-03-23T11:45:31.815162Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815167Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c5fe73351a6765fef5d095693d15ddebb13d95de901843a03f5596adc7a00656", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ae9baf4-1c06-5888-87d0-803c7688728f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151055Z", "creation_date": "2026-03-23T11:45:31.151057Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151063Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "648f2aa5ed1671df0af786521e15619d0979753752197df4c79f83af69a4b1d2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8aea0465-7cf9-5b4d-9e65-45b03e11a403", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973006Z", "creation_date": "2026-03-23T11:45:29.973008Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973014Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8f68ca89910ebe9da3d02ec82d935de1814d79c44f36cd30ea02fa49ae488f00", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8aee5b3f-8622-54fb-9e42-a03520ef8a83", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452678Z", "creation_date": "2026-03-23T11:45:30.452682Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452691Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18b12a09448244180344d7e5f8028a0ca53ca0f3bddfec06d00f995619c3fc0b", "comment": "Vulnerable Kernel Driver (aka mapmom.sys) [https://www.loldrivers.io/drivers/cf94939a-703f-46a4-917b-d6af7e0685ef/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8af6982c-bdc1-5b6d-b390-9fd558675d7e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822007Z", "creation_date": "2026-03-23T11:45:31.822010Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822018Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0ea0e67e8e4b6b5f5b56205dcb965e6fa99515ac03063ba8313078d8183a40f7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8af73424-cabd-5273-b142-1734b1585b28", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494196Z", "creation_date": "2026-03-23T11:45:31.494199Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494207Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b2143ad726c1d98f46dd3fa848294ce5e5c5c1ebb4414762c13b0e427f9d6d42", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8b0d4dcd-a24f-510e-85ef-1401806f03dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614596Z", "creation_date": "2026-03-23T11:45:29.614598Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614604Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "591bd5e92dfa0117b3daa29750e73e2db25baa717c31217539d30ffb1f7f3a52", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8b1c0132-0f87-53b9-a3e9-598681d12184", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828707Z", "creation_date": "2026-03-23T11:45:31.828709Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828714Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2463da4c24ab4e8beee552c24f2a70316aa2cb8c3ec148ce446b3a11a8b08956", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8b24d52f-c3b6-563a-b568-b415e288987f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820244Z", "creation_date": "2026-03-23T11:45:31.820247Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820256Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "34580b7c46cf2ba86ec120aa94c5c6a74347eb8e214165b2d0bcc4f51a310ebd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8b2e4de4-b4f1-5688-b0c0-14e7e1bd315d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825511Z", "creation_date": "2026-03-23T11:45:31.825513Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825519Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e03e2302933fce5d5e302bce826ff8ed6f1d3d57363f611a3855b1f18121431", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8b354715-a8d4-50dd-b4fd-7387f41976e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467919Z", "creation_date": "2026-03-23T11:45:30.467922Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467930Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c005f1bcb549d76ab86390217ad6b3a2226ec74fd6f4595c0fd28b73102b1b99", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8b40143f-a5f1-5480-9a6f-a3dc8de0f0ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972908Z", "creation_date": "2026-03-23T11:45:29.972910Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972915Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "238046cfe126a1f8ab96d8b62f6aa5ec97bab830e2bae5b1b6ab2d31894c79e4", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8b4b0dba-3bf6-5928-9271-9e40c906fa85", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613787Z", "creation_date": "2026-03-23T11:45:29.613789Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613794Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6dafd15ee2fbce87fef1279312660fc399c4168f55b6e6d463bf680f1979adcf", "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8b5f7cbd-f507-5415-9529-20310e67627f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454919Z", "creation_date": "2026-03-23T11:45:30.454922Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454930Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "22da5a055b7b17c69def9f5af54e257c751507e7b6b9a835fcf6245ab90ae750", "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8b68cf26-de42-5958-a6f6-89188fe44e69", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812907Z", "creation_date": "2026-03-23T11:45:31.812909Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812915Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9700d4a0ec9ab9aebd902664586c608ea41255f181fdd60e4e4f97faff4c8efc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8b6b55f3-9d75-50a2-883f-a4f7c2a6cfcb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622828Z", "creation_date": "2026-03-23T11:45:29.622830Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622835Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "507cee84e2924e81916c8bf090efb1beab3c258a79e1e1bf3637b8b7824d0a86", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8b8f1810-a120-5dc7-aca8-7320c2d51160", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605487Z", "creation_date": "2026-03-23T11:45:29.605489Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605494Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "98a123b314cba2de65f899cdbfa386532f178333389e0f0fbd544aff85be02eb", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8bb42c60-1d10-5ad3-aa54-9eb7d3d53dda", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486010Z", "creation_date": "2026-03-23T11:45:31.486013Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486023Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8d0c87a31a5e5c22ccd722f80165f98023b8ffa270a03ee174728e8e247d05b6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8bb87c0e-a975-5774-a6ac-6e726a11efd0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492250Z", "creation_date": "2026-03-23T11:45:31.492252Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492257Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b266100dc2c0a9c657e443e0123842404478d170e113f81fe18a5b0e9f915735", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8bbbfa75-1155-5e2d-b741-079d4914edc9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470341Z", "creation_date": "2026-03-23T11:45:30.470345Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470354Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7442192141d056cef53a570d072759a648393be52019f32e93ccb7aec5715feb", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8bc68ea2-ae89-557f-8f21-d13ced1d7ab7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480365Z", "creation_date": "2026-03-23T11:45:31.480369Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480379Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0b2d29f8984a3c9649765ab359580c590371d32d7279a5553750ce95d0f4f477", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8bd0fc17-6c0d-53d2-97a0-dbdcf564452c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606079Z", "creation_date": "2026-03-23T11:45:29.606080Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606086Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "46621554728bc55438c7c241137af401250f062edef6e7efecf1a6f0f6d0c1f7", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8bd267b4-1790-56ff-ad77-8180b2fa89c5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821853Z", "creation_date": "2026-03-23T11:45:31.821856Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821864Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d04ac62221a46998dfe281b055ca507840fc0275bf7535d11aeac25a80b654c0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8bf73bc3-f8b1-5d4e-8d23-fda0e56ff72e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146710Z", "creation_date": "2026-03-23T11:45:32.146712Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146717Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "331a5bf8965b6410c5517df3ffad4d15afc4390f5b482a6e5fae1c01dd55059f", "comment": "Vulnerable Kernel Driver (aka 8492937_2_Driver.sys) [https://www.loldrivers.io/drivers/c95a796a-a8f6-4cfa-bc42-4936ecb59091/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8c06113b-9892-531f-ba51-22729b956d4a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833588Z", "creation_date": "2026-03-23T11:45:30.833591Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833600Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e132a6ba87d65723faa4a27ac5857bed428fb9983ac817b20a4c37a33070dd0b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8c095117-2e46-5c71-9449-16ed20955113", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148468Z", "creation_date": "2026-03-23T11:45:31.148470Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148475Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "63298626b1d4aea3c8b8b838ce3412f4e501986af353004083358922810290ed", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8c0b65dd-ab42-58f2-9197-0c842c3b8117", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151599Z", "creation_date": "2026-03-23T11:45:31.151602Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151611Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4494f5066385b1ccd758a513c426556b8591288c5bd180ddea35f42bae761b18", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8c11cab9-7ce3-549b-bdda-7752d65c6cbd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828022Z", "creation_date": "2026-03-23T11:45:31.828026Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828034Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d0711adbe0d45695e507b196625c70f29f17af40d48e1575903d3c658803ffb2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8c19dc67-ed30-5824-8490-74110b6730b1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820298Z", "creation_date": "2026-03-23T11:45:31.820301Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820310Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "97b2275049846d6a65b7a684085f6e984db9a6a62e4547a984a7441e14b6bd5a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8c308c1d-a694-5f55-b0d1-ecddc04094bd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979812Z", "creation_date": "2026-03-23T11:45:29.979814Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979819Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3700b38d63d426ff0a985226b45eca6e24d052f4262d12aff529e62c2cb889c3", "comment": "Vulnerable Kernel Driver (aka nt4.sys) [https://www.loldrivers.io/drivers/1d4f7a3a-786b-4a74-b34f-14d44343de9e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8c395fec-937e-5e55-ad01-37bd3caf8818", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822037Z", "creation_date": "2026-03-23T11:45:30.822039Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822046Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a9b98a8234d3e560feef5ec88f35960f631d111351d7085c011e055dfec7d3ce", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8c3dc435-ec9d-59a5-94b8-f4e8bb17e528", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621496Z", "creation_date": "2026-03-23T11:45:29.621498Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621503Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "71ff60722231c7641ad593756108cf6779dbaad21c7b08065fb1d4e225eab14d", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8c4c470f-10f4-5078-aec0-2ccf414d7938", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486371Z", "creation_date": "2026-03-23T11:45:31.486374Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486382Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2d45901faf83202835300cfe959227a39001b8c37681cd67359f36158431c07f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8c518d00-1ef3-5487-9b4c-ea857db77aff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971749Z", "creation_date": "2026-03-23T11:45:29.971751Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971756Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f", "comment": "PowerTool Hacktool malicious driver (aka kEvP64.sys) [https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HackTool.Win64.ToolPow.A/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8c68a0e4-de31-5fa6-b957-10f27179ca83", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479797Z", "creation_date": "2026-03-23T11:45:31.479800Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479810Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6b382a9b09066a08e1db92e46cb2cf14f3741b1a5342a40ec7d1acb00fab7ada", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8c6ae79e-7b43-5c5b-b8c7-8d4c55ab8b0b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459821Z", "creation_date": "2026-03-23T11:45:30.459824Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459833Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "88992ddcb9aaedb8bfcc9b4354138d1f7b0d7dddb9e7fcc28590f27824bee5c3", "comment": "Vulnerable Kernel Driver (aka gdrv.sys) [https://www.loldrivers.io/drivers/2bea1bca-753c-4f09-bc9f-566ab0193f4a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8c775d63-c31f-57b3-839b-e712bc597999", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832624Z", "creation_date": "2026-03-23T11:45:30.832626Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832631Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "77ae110ba425dcefb6fbfaa7f6a72324361f027cf32fee91f1b13c4add422150", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8c797afb-4736-55da-b34c-c721b3c05f0d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970280Z", "creation_date": "2026-03-23T11:45:29.970281Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970287Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ff7578df7293e50c9bdd48657a6ba0c60e1f6d06a2dd334f605af34fe6f75a5", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8c7a0810-fbdf-5208-8710-3728c3516c98", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818351Z", "creation_date": "2026-03-23T11:45:31.818355Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818364Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0ee10186740679439654168d2319de2a1a8a3fc1077acb505db8636c28b8dd89", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8c7c1adf-cb51-5076-b56b-a2b7c2b551a9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610846Z", "creation_date": "2026-03-23T11:45:29.610848Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610853Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e0b5a5f8333fc1213791af5c5814d7a99615b3951361ca75f8aa5022c9cfbc2b", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8c99092a-f034-5bdd-b44c-f6fcafb0191b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812562Z", "creation_date": "2026-03-23T11:45:31.812564Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812570Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "09ada32541233dce3a892b93d39bb02611b3a31d6704f676f83b40f8ce215133", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ca22587-b8ea-57d3-a2f7-ed29b9e9b48e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826026Z", "creation_date": "2026-03-23T11:45:31.826029Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826037Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "29c2e854791e4f948e2117dde442d8671f6b365efcaf80a1579c08e275e55b34", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ca2a791-1061-5e13-bb66-573e3875f866", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809006Z", "creation_date": "2026-03-23T11:45:31.809008Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809013Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae60bdc5497190c5bd278f2e4c7afd1c5b8604d49d1b9f448efc75f7ef9b7d54", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ca2e12b-dc7b-5bed-935c-2fd03f128dc8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810450Z", "creation_date": "2026-03-23T11:45:31.810452Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810458Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2f3bc8ff2bcfaf8c59ce9b946ea8abf2c0530af9da66b8ccb3760b10264794df", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8cc53f01-1a89-5a5c-8434-235fc4898f77", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819191Z", "creation_date": "2026-03-23T11:45:31.819193Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819198Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a19007ece916157952ff5cda5bf0b4342d2f009a7d368aaa29c169d3794d9016", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8cc581fb-33c6-5ade-8fab-557e913534f6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500176Z", "creation_date": "2026-03-23T11:45:31.500179Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500188Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f0f4c9253ff3380224484a8a9ef15971dbaffbed1d09a7e0ee48fdfca3d1501d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ccfd284-a8b7-5204-9cd3-d8d7f0b87b43", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469008Z", "creation_date": "2026-03-23T11:45:30.469011Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469020Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6b4ac66225600b3d5b89f6b0440ccdd0f59279fd0bbf4af82f1aab63df54b883", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8cd3943a-5473-5e11-a399-4c88312d1f49", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466072Z", "creation_date": "2026-03-23T11:45:30.466075Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466084Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "12b0000698b79ea3c8178b9e87801cc34bad096a151a8779559519deafd4e3f0", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8cd599b5-6587-5d02-8242-09eeaac6cdf1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827893Z", "creation_date": "2026-03-23T11:45:30.827895Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827900Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "415fa8623e0e8ec991093365cfce3a913f8711198fcf2e7ffb4d59712348ab67", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8cd82f15-0280-5a9b-82c2-debf16e530e8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458664Z", "creation_date": "2026-03-23T11:45:30.458667Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458676Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1204026fdc9c859960ee561eb9f1fd9ebf6c88c78c5d4cee35ef029ad5050ec6", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8cf64ce4-eb07-5796-b0e6-321ee2f458da", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148224Z", "creation_date": "2026-03-23T11:45:31.148226Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148231Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0a2a2374a88951cdf69c9215659bf9dd12125669e4143df3c574a2041ddafb92", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8d026852-d879-546f-b98c-1641dd8d3047", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810254Z", "creation_date": "2026-03-23T11:45:31.810256Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810262Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5e0cda9601a0a53bdc07b9c678de3571ca33666cf354a7ef36a2939107bfd7ca", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8d0c765d-ca1d-5c84-8c33-0d57bfc984a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978423Z", "creation_date": "2026-03-23T11:45:29.978425Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978431Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b019ebd77ac19cdd72bba3318032752649bd56a7576723a8ae1cccd70ee1e61a", "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/a7628504-9e35-4e42-91f7-0c0a512549f4/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8d15a630-c118-57f1-8d0d-15e963aaac2e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453577Z", "creation_date": "2026-03-23T11:45:30.453581Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453590Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e556fc49ab6caeb5b835abf683ff04a39f0e467ea5607187c8b2fcf2ca77314", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8d1d9d93-9a73-5fb6-8235-a9f944c04526", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495390Z", "creation_date": "2026-03-23T11:45:31.495393Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495401Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "28aeefa1f2d98aef61a1c972f4b3d2ef759301440f78e74cca16ef96c9d23f32", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8d24d0eb-1a5a-5982-a2d3-756332791807", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983703Z", "creation_date": "2026-03-23T11:45:29.983705Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983711Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "54bc506b2f0cf66d12d4a2415ab743c2b2a1f3079089e3e0c0c1f3f49dd7335e", "comment": "Vulnerable Kernel Driver (aka WCPU.sys) [https://www.loldrivers.io/drivers/7f645b95-4374-47ae-be1a-e4415308b550/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8d30dbe7-3f97-5ca9-b7c2-16a18c094cb7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607668Z", "creation_date": "2026-03-23T11:45:29.607670Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607675Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7da6113183328d4fddf6937c0c85ef65ba69bfe133b1146193a25bcf6ae1f9dd", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8d474abf-c415-5088-8ecf-aee802e4ff47", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828973Z", "creation_date": "2026-03-23T11:45:30.828975Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828981Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ad8e224c4c5fd1698b9898e9003a18edee6e44dac2e778a269b121a9f722ae0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8d50322e-9191-5266-b667-464e4ffbdc7c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971908Z", "creation_date": "2026-03-23T11:45:29.971910Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971915Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5ae3056a475fbf96c109185a3a44abe8a5af461cb9310370f595adda1ce2df28", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8d584675-f651-54e3-82fc-f59a68718bdf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151841Z", "creation_date": "2026-03-23T11:45:31.151845Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151854Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "50cb1ea20990e0fc95cefd5354f857eb21724f637f807b885722515fa0b3d9fe", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8d70af87-1e2a-5462-9ca6-d74a1864b714", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973739Z", "creation_date": "2026-03-23T11:45:29.973740Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973746Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6ffdde6bc6784c13c601442e47157062941c47015891e7139c2aaba676ab59cc", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8d761b0e-c6a1-5c3f-b5b2-ee58319a695c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460096Z", "creation_date": "2026-03-23T11:45:30.460099Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460108Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "22e125c284a55eb730f03ec27b87ab84cf897f9d046b91c76bea2b5809fd51c5", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8d86abc2-7479-5ba2-be36-627be8b90423", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145697Z", "creation_date": "2026-03-23T11:45:32.145700Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145706Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1afc1d0672c14df8c9e4caa88f5d3b7968421d72c548b6df307e371b9a8776d5", "comment": "Malicious Kernel Driver (aka driver_1afc1d06.sys) [https://www.loldrivers.io/drivers/d7773616-9860-4768-b6a2-d74f32c23b4e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8d86ba3b-abe2-514b-a706-d87ab491adec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606575Z", "creation_date": "2026-03-23T11:45:29.606577Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606583Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4533a11f4f190354b749f2842b57233e5e9e8b37fa4031bcb976118cff902101", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8d8883da-1a6e-566c-b1e9-11b057207a62", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143148Z", "creation_date": "2026-03-23T11:45:31.143150Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143155Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "002b9b5e83fb76da6e3e98c7de0f515de55429059026b03fd3bc8973f9227857", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8d9005c2-cc7c-5318-b64a-0313f39b3aa2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491494Z", "creation_date": "2026-03-23T11:45:31.491497Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491505Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fe0b4f7ebed27bedbab89926bd7637f91963b4c7364709f68ead295ee89660e5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8da0ebde-0443-5844-98ea-10362b3afd71", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.603902Z", "creation_date": "2026-03-23T11:45:29.603904Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.603910Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bdf49774a13d717c1f0b84bf82f4d9ec652994a475f0b8a0a3ab685cd5fd74a4", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8dbad857-0663-55e4-9e0f-c36d79768c6c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146673Z", "creation_date": "2026-03-23T11:45:31.146675Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146681Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b8ca82693f85a31d0dca7731fdc112d5cf619d3c65deebb58b0f1d9b045b7d4f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8dc5fb8c-f347-5b3c-bc21-a026ce5505f0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972072Z", "creation_date": "2026-03-23T11:45:29.972074Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972079Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b51ddcf8309c80384986dda9b11bf7856b030e3e885b0856efdb9e84064917e5", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ddda757-36db-577d-a31d-d35b5e272919", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491965Z", "creation_date": "2026-03-23T11:45:31.491967Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491973Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7f98e425d04b84057f995dccfd76941b40baa512a839440a325a3255d7c964a4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8de7054e-720b-5521-970d-1843c428d0cb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620600Z", "creation_date": "2026-03-23T11:45:29.620602Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620610Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "54841d9f89e195196e65aa881834804fe3678f1cf6b328cab8703edd15e3ec57", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8df0eef2-ab25-56a2-a736-f5f282230a36", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621547Z", "creation_date": "2026-03-23T11:45:29.621549Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621554Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7b0f442ac0bb183906700097d65aed0b4b9d8678f9a01aca864854189fe368e7", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8df3933f-628a-59af-b984-9f1d3c92a03e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459921Z", "creation_date": "2026-03-23T11:45:30.459925Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459933Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "45b07a2f387e047a6bb0e59b7f22fb56182d57b50e84e386a38c2dbb7e773837", "comment": "Vulnerable Kernel Driver (aka LgDataCatcher.sys) [https://www.loldrivers.io/drivers/5961e133-ccc3-4530-8f4f-5d975c41028d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8dfae742-47d8-5c9c-9217-cbd112a1048b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607183Z", "creation_date": "2026-03-23T11:45:29.607185Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607191Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "96ee751f7c38731e97773e07e0f13f4dd361af9aaa1d30b41652c2e6efc3fb3e", "comment": "Dell vulnerable driver (aka dbutil_2_3.sys) [CVE-2021-21551] [https://github.com/SpikySabra/Kernel-Cactus] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8e08e94f-ebd1-531d-9eb4-e8d8ff16ff99", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828614Z", "creation_date": "2026-03-23T11:45:30.828616Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828621Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e18f303d27c753bee0f90637e5a8c3ae1f76276d1419430a335c2d2b0b66f3b6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8e11b7fe-6820-5c0a-888f-4a4b5ee0452a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975804Z", "creation_date": "2026-03-23T11:45:29.975806Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975812Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7419b05e74733d2b7ce4c860ab74043b816a7f66a1ff7eec81fe3b35730e3bbb", "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8e1783a9-8e63-5d78-bc12-47c7c81bc7e3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828203Z", "creation_date": "2026-03-23T11:45:31.828205Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828210Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b6c5360fb5cf9a441c51255d27039ceebdcf532e25c98a41c5facf6b00ae05c4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8e26b953-ce06-58eb-92ea-3095be8f5477", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822789Z", "creation_date": "2026-03-23T11:45:31.822792Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822801Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e1a9526605bbdcf72085e2fecec7ce06265af73aa196a963fc9d1122b1883ec", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8e395393-6f7e-5edd-aea7-8f25beb5122e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605629Z", "creation_date": "2026-03-23T11:45:29.605631Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605637Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e07211224b02aaf68a5e4b73fc1049376623793509d9581cdaee9e601020af06", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8e4388f7-051f-5d35-ada0-4292d97f356b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830908Z", "creation_date": "2026-03-23T11:45:30.830910Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830916Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c7c3a0128e7111625f77f9a7ff615a297e60c293c1532523685d67f88054bde9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8e50f6ca-d6a1-5365-bb90-65483a5369e5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826132Z", "creation_date": "2026-03-23T11:45:30.826135Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826140Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "027000b80fb5c703aeb2de72dd540653392eab608142bbba13f949345c101b28", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8e54f236-0506-58e1-85f1-3a2720b8a492", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486971Z", "creation_date": "2026-03-23T11:45:31.486974Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486982Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5f7621d4651e80986142b4673dc335e39708b4cfef21b71ddd955ae31a14657c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8e5546b9-f808-5feb-b6a7-180022cb715d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983211Z", "creation_date": "2026-03-23T11:45:29.983213Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983218Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e6b339597a89e875f175023ed952aaac64e9d20d457bbc07acf1586e7fe2df8", "comment": "Vulnerable Kernel Driver (aka DBUtilDrv2.sys) [https://www.loldrivers.io/drivers/bb808089-5857-4df2-8998-753a7106cb44/,https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8e627923-faec-52af-bfd6-1d37a2bbb2c8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616381Z", "creation_date": "2026-03-23T11:45:29.616383Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616389Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7c942801884999057aabdc01707570371afdb077979ee2f318c05276123b78e7", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8e678966-9e56-54ff-9907-ed85717d537d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144124Z", "creation_date": "2026-03-23T11:45:31.144126Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144131Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b7b7774480af293fbfac7f3c038b897d54aab36afe0afae210b3640b40fefec8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8e6c7db6-3880-5c46-a654-5f9ef85665ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834003Z", "creation_date": "2026-03-23T11:45:30.834006Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834014Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "61f139d722bea6618c688a7f74b5a04907c7308d9fc434a1033439f0d26c90b0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8e6cc692-fde4-55cd-8d3b-4ba23c2f1457", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823773Z", "creation_date": "2026-03-23T11:45:30.823775Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823780Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7d4862fb20b01f19eaf86774ecbb20a137163d969554ac9b91c3c92fe103ea7a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8e744983-55ae-50bc-97fe-db3663208398", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620441Z", "creation_date": "2026-03-23T11:45:29.620443Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620448Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d8459f7d707c635e2c04d6d6d47b63f73ba3f6629702c7a6e0df0462f6478ae2", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8e7965f9-9d49-53e1-835c-cbdcd2a34e50", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473367Z", "creation_date": "2026-03-23T11:45:30.473370Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473379Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "78d49094913526340d8d0ef952e8fe9ada9e8b20726b77fb88c9fb5d54510663", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8e84d1be-7d77-5fa8-9192-c8f8cce37711", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152804Z", "creation_date": "2026-03-23T11:45:31.152807Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152815Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "61923c135d0847549f5869a5a91d78ba945e3f5c1c6d5b31dfe34ad8911b5ae3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8e8b25dc-55b4-5ebd-bd03-c46da2ce3f13", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618023Z", "creation_date": "2026-03-23T11:45:29.618025Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618030Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "423d58265b22504f512a84faf787c1af17c44445ae68f7adcaa68b6f970e7bd5", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8eaeaf65-32d8-5555-9dd8-764cc57ee5a0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818265Z", "creation_date": "2026-03-23T11:45:31.818268Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818276Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a39fe7b7cc504ed53435aefd9050f7bebe2115e87f6089006f0ad26404e52419", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ebebc4b-0827-5d4f-8583-39cd88fa0c0b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823361Z", "creation_date": "2026-03-23T11:45:31.823364Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823373Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ec97b2ca7836cba139fd394132a06b7eaaff3f78a15110a28acf6368e9837148", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ec416e2-9b78-5ca8-92bf-57c184d2347e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483597Z", "creation_date": "2026-03-23T11:45:31.483601Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483611Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0ddb52f71b17725e01328632bc62197d8d880b6e349a7f96e153a8e3e1520e77", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ecbf4ee-d4fb-5b07-a4aa-ee2060c2fd2b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974108Z", "creation_date": "2026-03-23T11:45:29.974110Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974115Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ecd07df7ad6fee9269a9e9429eb199bf3e24cf672aa1d013b7e8d90d75324566", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ed85ee6-98ce-5007-9860-0154fe9eb079", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819498Z", "creation_date": "2026-03-23T11:45:30.819500Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819506Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3cb111fdedc32f2f253aacde4372b710035c8652eb3586553652477a521c9284", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ee8010b-fc28-55d5-a9f8-aaaf94cdc63a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452708Z", "creation_date": "2026-03-23T11:45:30.452712Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452721Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4bf4cced4209c73aa37a9e2bf9ff27d458d8d7201eefa6f6ad4849ee276ad158", "comment": "Vulnerable Kernel Driver (aka fiddrv64.sys) [https://www.loldrivers.io/drivers/64f3d4b0-6d2b-4275-b3d4-15d092af4092/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8eeb1a20-0b06-589e-9cbf-a3c417ce9606", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981700Z", "creation_date": "2026-03-23T11:45:29.981704Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981713Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0b205838a8271daea89656b1ec7c5bb7244c42a8b8000d7697e92095da6b9b94", "comment": "Vulnerable Kernel Driver (aka ProxyDrv.sys) [https://www.loldrivers.io/drivers/0e3b0052-18c7-4c8b-a064-a1332df07af2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8eec39d2-f7a3-50d7-9b99-d65f67de243a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622759Z", "creation_date": "2026-03-23T11:45:29.622761Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622767Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a520ff5c754a1fb62ba88399a313d0c0fb99145ba2d3d91dbf4282388b77fa84", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ef5479c-0d31-5922-8c12-5a25ca1fb5ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828365Z", "creation_date": "2026-03-23T11:45:30.828367Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828372Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "164e53bcd4af4a0cf7773f7570f43a8370521e3fba8e7da76fe6e46d93c54375", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8efc4026-0508-5aba-880e-6f6a6a92e56c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490419Z", "creation_date": "2026-03-23T11:45:31.490421Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490427Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fed4296d2bd088e45850ef09c5f1f598b926a3602dab71e921e8a881af2dfb39", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8eff5a5f-b3c8-588f-a808-fbb2ba6cfd6d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455730Z", "creation_date": "2026-03-23T11:45:30.455734Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455743Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6701433861742c08eb50f1e785962378143ad5b6c374ac29118168599f8a0f1c", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f0437d6-ffb1-5479-b7d3-b2423efd37ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145659Z", "creation_date": "2026-03-23T11:45:32.145661Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145667Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "930da474a6d1be97b54f2c81e883e14d62897aa58622e5b040e412bd36cee0a7", "comment": "Malicious Kernel Driver (aka driver_930da474.sys) [https://www.loldrivers.io/drivers/4c4e7664-af86-4483-858a-f59346f3d304/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f098271-1543-5b6a-a9bf-00949da16756", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818208Z", "creation_date": "2026-03-23T11:45:30.818210Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818215Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cb59a641adb623a65a9b5af1db2ffd921fd1ca1bc046a6df85d5f2e00fd0b5a5", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f0a1565-5a6a-556d-8cb8-03d08d57f17f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160720Z", "creation_date": "2026-03-23T11:45:31.160722Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160728Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee73362a7b874688da240e0c26e85b9f94ff012708f57fdedaee8d81b015baba", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f0c8bbe-2a1e-5a2e-93c4-8f510fd52491", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455052Z", "creation_date": "2026-03-23T11:45:30.455055Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455063Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "40c45c9b1c764777096b59f99ae524cbd25b88c805187e615c3ed6840f3d4c15", "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f172986-bb69-5d6a-934d-6c35d5d798c4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460264Z", "creation_date": "2026-03-23T11:45:30.460268Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460277Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5ab48bf8c099611b217cc9f78af2f92e9aaeedf1cea4c95d5dd562f51e9f0d09", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f1c5ec8-cc49-5fe3-b6fd-568f18f93780", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140418Z", "creation_date": "2026-03-23T11:45:31.140420Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140426Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a56f9efee818f2d92cbcaa4025d4a40ec1a32243226c3df5f6db8fb6be769e4b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f1e87c1-621f-5148-9adc-ad850f97e833", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821470Z", "creation_date": "2026-03-23T11:45:30.821474Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821483Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "767ef5c831f92d92f2bfc3e6ea7fd76d11999eeea24cb464fd62e73132ed564b", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f218bde-cd11-5551-bcd3-3ba5b37d7d07", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144481Z", "creation_date": "2026-03-23T11:45:31.144483Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144489Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "885c386e3349ab5feb9c8f53eb9d72c6cc0e34e7decb1cc67ca60d4ed55aff9f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f24dfd0-32a7-58d2-8904-3a01a495c6c2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482979Z", "creation_date": "2026-03-23T11:45:31.482983Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482994Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "23acb0b9873f8b4bfdd2ad9583a32d42bbd8ffa9ffa63ee6c56d2f2c36822caa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f2a7991-19dd-5588-b793-decfa50b507c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159104Z", "creation_date": "2026-03-23T11:45:31.159106Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159111Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ebd5013c06979f4b14956b2b912d821a1afc2e78eb22e8e1f303f26c3afe6168", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f2b33ae-861a-5e42-87ea-ae3c5dd272de", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483629Z", "creation_date": "2026-03-23T11:45:31.483633Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483642Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2f2439b26ab2a365ae0014bbc008f78d9f1bb8772661de5600d21b61d9beffd4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f2ead5c-ee58-579a-a96e-8a638e52ad4c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982159Z", "creation_date": "2026-03-23T11:45:29.982161Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982166Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "acb65f96f1d5c986b52d980a1c5ea009292ff472087fdd8a98a485404948f585", "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/b03798af-d25a-400b-9236-4643a802846f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f367a89-bb24-5471-aea6-0f915052d013", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482916Z", "creation_date": "2026-03-23T11:45:31.482920Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482930Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "85620e543732b4d53062cdbf61d924ac29accbf7e6ea663fc39fd0c9a12900d0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f3ac8a8-317d-535f-920e-dadf8135e37f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830492Z", "creation_date": "2026-03-23T11:45:30.830495Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830500Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0019c165b4c461fcdd455c6d78ab0ac4a28b7b57f6dff09d42d8f334e8b6c4bd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f4209b4-0d0a-5225-86cc-ca67dc6022dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979012Z", "creation_date": "2026-03-23T11:45:29.979014Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979019Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "348679f0f44eb5a50601c48728a5afd2b4312c95eeb7179ce57d447c0d30f873", "comment": "Vulnerable Kernel Driver (aka PanMonFlt.sys) [https://www.loldrivers.io/drivers/cfdc5cb4-be5c-4dcc-a883-825fa72115b4/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f43ed7c-d3d9-56ab-b38b-19ad94fa9f2e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979864Z", "creation_date": "2026-03-23T11:45:29.979865Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979885Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a", "comment": "Malicious Kernel Driver (aka daxin_blank2.sys) [https://www.loldrivers.io/drivers/2e1531b2-d370-4543-9e2e-5319a1c13c22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f446287-ac3d-5d2b-b8c1-d3bf26766a75", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608986Z", "creation_date": "2026-03-23T11:45:29.608988Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608993Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "26c28746e947389856543837aa59a5b1f4697e5721a04d00aa28151a2659b097", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f4d3e27-7cff-54e4-a889-2116b86a4a15", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983595Z", "creation_date": "2026-03-23T11:45:29.983597Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983603Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "50f9323eaf7c49cfca5890c6c46d729574d0caca89f7acc9f608c8226f54a975", "comment": "Malicious Kernel Driver (aka ntbios.sys) [https://www.loldrivers.io/drivers/eef1fcf4-8c54-420b-8d38-9c5f95129dcc/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f505155-6103-5c6d-bd5d-92c4fa4f7d12", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825522Z", "creation_date": "2026-03-23T11:45:30.825524Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825529Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "320ae8c286e987bf73162993087e9ffe1d7d76df3468a6e5bc7dc197b481b00d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f62ff62-d1f2-5700-8d5a-77941dec1dde", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463614Z", "creation_date": "2026-03-23T11:45:30.463617Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463626Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "897f2bbe81fc3b1ae488114b93f3eb0133a85678d061c7a6f718507971f33736", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f735a58-d1ae-5f3d-8b30-2d72d5b8f047", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145747Z", "creation_date": "2026-03-23T11:45:31.145749Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145754Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "53d919f64c2e4b457b5b5a7b559ec6d9028d9a906adcb600c2b14e186b2e1577", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f780cee-fb6f-59a0-98fe-068da1f231b5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489162Z", "creation_date": "2026-03-23T11:45:31.489163Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489169Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3ea3f34058bf171564877f8db413350c947c46a962b6b5ee82b400dd0967bcb9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8f83a69a-5739-56d9-bc99-abc22179e75a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144615Z", "creation_date": "2026-03-23T11:45:32.144617Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144622Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f78dd64abcb5a3e1d60f9e9c92422f34a52e009770e6434d2d8aabb6d370737", "comment": "Vulnerable Kernel Driver (aka RtsUer.sys) [https://www.loldrivers.io/drivers/71d930a7-3465-4d27-90d4-2a1a08bebb92/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8fa07ce7-4c6f-5567-bfa4-f863ceda720a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829759Z", "creation_date": "2026-03-23T11:45:31.829762Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829771Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b04473fe4284519d6eaafdc8a231d6483e91d1532062f37e5b260a6095b4e674", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8fa34d84-033a-50d1-8767-7d4cbb94e0d7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619177Z", "creation_date": "2026-03-23T11:45:29.619179Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619184Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "157ce9ae0d09766cfa3e5be8f90e2ac510f0ce3a0bb7cd97e3a5f9aa20c76661", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8fb0ebb2-ea1a-5219-9d2d-68efee9ae522", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974504Z", "creation_date": "2026-03-23T11:45:29.974506Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974512Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5e71106ee81d050e30afd84cade4ef4a581d70130477aa1e34549e6de50cde87", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8fb16975-bd41-5f87-9f48-c4a96fb1bc20", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611813Z", "creation_date": "2026-03-23T11:45:29.611815Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611820Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "539aa921b5352ab385430e1608ac5c0ae36f35e678d471b7a5994ec7c02eadea", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz141_x64.sys) [CVE-2017-15303] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8fb4cd51-bfdb-5a6b-b2a8-e4f56f5aa0ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613387Z", "creation_date": "2026-03-23T11:45:29.613389Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613394Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d20d8bf80017e98b6dfc9f6c3960271fa792a908758bef49a390e2692a2a4341", "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8fbceaf1-319e-54dc-b64c-711059ba28d8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819760Z", "creation_date": "2026-03-23T11:45:30.819762Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819768Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "29f449fca0a41deccef5b0dccd22af18259222f69ed6389beafe8d5168c59e36", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8fc93f93-b40f-5555-a33a-2afb21d5d19b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460013Z", "creation_date": "2026-03-23T11:45:30.460016Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460024Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "df4e25990742fc8d3aed70f6cb4d402e111e7ed08fa5f76aca685b8c03b98b93", "comment": "Vulnerable Kernel Driver (aka LgDataCatcher.sys) [https://www.loldrivers.io/drivers/5961e133-ccc3-4530-8f4f-5d975c41028d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8fcc44b8-0249-5c7d-8eab-0d8ac8a65ec5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617059Z", "creation_date": "2026-03-23T11:45:29.617061Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617069Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d259e9b1d04b5fa966094f15f8edbaeba5da2a14bf34bf0a5490a0e308c025d7", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8fcdeac3-d35b-5113-82ce-6887000e1663", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827384Z", "creation_date": "2026-03-23T11:45:31.827386Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827392Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "047e83409fd83837c3566e89079fe840f0f127e2ad77f6a2f6a8ff7b31b4738c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8fdc24c4-dc6a-57b6-a94b-9ffab90ebe04", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980202Z", "creation_date": "2026-03-23T11:45:29.980204Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980210Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "46d1dc89cc5fa327e7adf3e3d6d498657240772b85548c17d2e356aac193dd28", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8fdd4bd5-7b5b-5a5a-b101-34ac89410b8d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155469Z", "creation_date": "2026-03-23T11:45:31.155471Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155477Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "db5fe428d6e069ab0b6d1c33f654144161526eff5fff076bc503f6e0fa153831", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8fe734a2-d6fe-57c6-9d10-5668dd69435b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489091Z", "creation_date": "2026-03-23T11:45:31.489093Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489099Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "24ef9613e5fe416bfef5c49b18ccfa453ab275353fa59950d578e42b1b00bb20", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "8ff8b760-20a0-5fac-8dde-4e0b6b7b3ea2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461498Z", "creation_date": "2026-03-23T11:45:30.461501Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461510Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "115034373fc0ec8f75fb075b7a7011b603259ecc0aca271445e559b5404a1406", "comment": "Vulnerable Kernel Driver (aka netfilterdrv.sys) [https://www.loldrivers.io/drivers/f1dcb0e4-aa53-4e62-ab09-fb7b4a356916/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "90048c6b-c146-5408-b210-b399da12293c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142344Z", "creation_date": "2026-03-23T11:45:31.142346Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142351Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f6e1d4f8e3d0fe8bc2a087f65a4f6fc26b90e98eb2356cd56a7364f9108604d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "900bb33c-f029-5a8d-bc71-476abe9820fe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143131Z", "creation_date": "2026-03-23T11:45:32.143133Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143139Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "48dc7fd16aacdc8792f8bad1b1f7ca9d675ddac7767e957ea8c4227150d64e2d", "comment": "Vulnerable Kernel Driver (aka echo_driver.sys) [https://www.loldrivers.io/drivers/afb8bb46-1d13-407d-9866-1daa7c82ca63/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "900eee8c-c13b-5f49-b500-b30e4d07a18b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499896Z", "creation_date": "2026-03-23T11:45:31.499899Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499908Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f8fe6b40e491ea41c0e05145db2d7b159d8f493fa24418ef41d0e471667a076f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9011eec4-ca53-59f8-a0e8-6951f6dc1939", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157431Z", "creation_date": "2026-03-23T11:45:31.157433Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157442Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d5951534de51c39aefffaa4239b3da079dac96326fd0422e59edc6af0f00eada", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "901f2e46-bf0f-546d-b711-b5dc8a429014", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830511Z", "creation_date": "2026-03-23T11:45:30.830513Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830518Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0c8caac32c31682d4732f78a47609b2069b65b3e73930106656f9b1d22845d08", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9021781b-66a2-52d9-8676-23120adc3bd1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605358Z", "creation_date": "2026-03-23T11:45:29.605360Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605366Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ad556300b1417c4d78c5c17cc59d7c5e9360f76e49cfd0a4e9564fedf923c66d", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "902466c5-006c-59f3-85d3-6c9759492253", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826174Z", "creation_date": "2026-03-23T11:45:31.826176Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826181Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7431b873a55857dc7a75419842e34a2e96f587182bf632d9d8db5fb497a41e19", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "90296bcc-22d0-5e92-86b0-835ecb16a717", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147431Z", "creation_date": "2026-03-23T11:45:31.147433Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147438Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab25cd1f115a6f3114a1355f54d20917df029080ba6e854169916ea27958b435", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "903198a8-912c-5ab7-b782-9884e48da682", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465454Z", "creation_date": "2026-03-23T11:45:30.465457Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465466Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e4b2c0aa28aac5e197312a061b05363e2e0387338b28b23272b5b6659d29b1d8", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "90326a85-738a-5bd8-8800-287ddca8676a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832514Z", "creation_date": "2026-03-23T11:45:30.832516Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832522Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e133d6ac51c2d412f49c73184a9069f2a5cbe78425857d78b06f88abd1ced25f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9035ada6-17ed-5742-8779-aabb9bc12ab4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827533Z", "creation_date": "2026-03-23T11:45:31.827535Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827540Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "39cc907dbc2bc08254ef115b2397aee842621201821312e5b7198e27e830b9d0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "903eb15a-10a3-5fa3-b3e5-4c61c8ff2b98", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479143Z", "creation_date": "2026-03-23T11:45:31.479146Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479155Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f3f2c7e511a82c968dc61726d94ef2d902baf3a36174651c2d4d2ebec8b4efc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "904471d3-657c-5b12-a9c0-530b60fd5686", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143945Z", "creation_date": "2026-03-23T11:45:31.143953Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143958Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c64fa4836d5ec14aa962edbb7fcb96d20b9b69e344ae9e93d7f531f9556c79d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "904b5926-e363-56bf-be2e-dab0df354e76", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973392Z", "creation_date": "2026-03-23T11:45:29.973394Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973401Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "99ddeba6bcdc79e52e3ff8afc63dbe4b299161cf0f5558a2d7630c2a18daf2c6", "comment": "Voicemod Sociedad Limitada vulnerable driver (aka vmdrv.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "904fa457-6cfe-5221-ba7e-655c5f9d0dd9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464735Z", "creation_date": "2026-03-23T11:45:30.464738Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464746Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3ca5d47d076e99c312578ef6499e1fa7b9db88551cfc0f138da11105aca7c5e1", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "90538aef-b31d-561c-a8ac-9567c83886c9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811116Z", "creation_date": "2026-03-23T11:45:31.811118Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811124Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "96476a61d507d601964c5eb173933056925231126c3358e9a74a577b3bd0c171", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "905608ce-76f4-522a-a972-4635ea347b33", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605192Z", "creation_date": "2026-03-23T11:45:29.605194Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605199Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f5f13feced4d8b332cadb0a77dcc36c9788a119dc16295bbdcd2c225ae326299", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "905aa587-6b07-5b27-b4e1-e42f4cee57ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826866Z", "creation_date": "2026-03-23T11:45:31.826937Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826956Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "234037a78f11e067a0abafd8d871332ded2a413e58fa9ad551b86b36c3aa4585", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "905ae96f-f596-5e9c-a8a9-87f4f1fb5a5f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612074Z", "creation_date": "2026-03-23T11:45:29.612076Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612082Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "faa37602095f25135312f87ed7adb607ffa5e9b2931b58d00f7376ed0c6ec69a", "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9068a806-2098-5670-b68a-91aab79f067d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499721Z", "creation_date": "2026-03-23T11:45:31.499724Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499733Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9e17479d6e6ab766302ac95d2632b5f6a271a0a99df6286a31d08c21d77493f2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "906ca3c6-2737-56e0-b168-8e5194af30b2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152084Z", "creation_date": "2026-03-23T11:45:31.152087Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152095Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5d3ef2066d3d22ce97f1fb3b39f5081acd1c34eab033ff139d80e95dab636e50", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "90768535-f58a-58d7-bfab-56c5adda1e02", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479078Z", "creation_date": "2026-03-23T11:45:31.479082Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479092Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2f5938048e69ddddc2a30e1cc9b18e898fae74f119e9dfde73c417c96b912f42", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "907a5e99-c5e3-511c-89f5-fd4f7d3ef5a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622228Z", "creation_date": "2026-03-23T11:45:29.622230Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622236Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6991be9952aa08c0d2ac9fa728410ebdb44988b496ed01b8b7f478785ebb30c4", "comment": "BioStar Racing GT EVO vulnerable driver (aka BS_RCIO64.sys) [CVE-2021-44852] [https://nephosec.com/biostar-exploit/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9090e885-0d80-550d-ab43-a879a161e87c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813347Z", "creation_date": "2026-03-23T11:45:31.813350Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813358Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e85661eaf2d80f59a7cce8588d487eb2f3e88cdf05580872ea7a379fd512d63d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "90974d7c-40f0-518d-b0d1-137b96af3a4a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477348Z", "creation_date": "2026-03-23T11:45:30.477351Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477361Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f42eb29f5b2bcb2a70d796fd71fd1b259d5380b216ee672cf46dcdd4604b87ad", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "909ca9fb-ef0b-5a0d-a5ab-32a75da649ea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498255Z", "creation_date": "2026-03-23T11:45:31.498260Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498268Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "95647f910288a7c30a2a886254d2dcbc0d1035e5ec0e9c13bb292d2432e6329c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "90a201dc-9930-5357-8265-4ff9495a155e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833754Z", "creation_date": "2026-03-23T11:45:30.833757Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833766Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab022e2378b4784621dbea6ede94ec67a9a68cc5e0e86e6be3d08ff90803a611", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "90b2e7bd-f87c-532e-a73e-70a291ebab7a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452913Z", "creation_date": "2026-03-23T11:45:30.452916Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452925Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6b71b7f86e41540a82d7750a698e0386b74f52962b879cbb46f17935183cd2c7", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "90b4be1b-8b21-5d12-9fd3-e36511fcba11", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969382Z", "creation_date": "2026-03-23T11:45:29.969384Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969390Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c5c8258836b58a830ef0289cdd544f741cd1054e8ae4732452553f680677825e", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "90d9475e-5b4c-5fe5-8048-4c79fa5147ae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811507Z", "creation_date": "2026-03-23T11:45:31.811509Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811514Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c6faf31cce58738989762bb173e25c7fbe1db0c65aca290e1e150aef5df5bf0e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "90d98919-a2a4-5a58-b0bc-e7931420d70e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466270Z", "creation_date": "2026-03-23T11:45:30.466273Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466282Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c8ae217860f793fce3ad0239d7b357dba562824dd7177c9d723ca4d4a7f99a12", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "90dd4aa3-65e5-55fc-9de3-2d70d07b0fb8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.161182Z", "creation_date": "2026-03-23T11:45:31.161184Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.161189Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "548ae3270c01abaaa47ce523a1a1f55dcab8bcbb7e1ab2af63748117259a5fe1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "90eb92d4-fb93-5280-bf5d-5ba7d643fa67", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481009Z", "creation_date": "2026-03-23T11:45:31.481013Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481023Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4619cb7fbfa46a9eb482bf6988ee67a5720f8685d5f1a5a715cb6f250af84ace", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "90f285bb-fbd5-5c7e-b17c-4bae4c69b851", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977568Z", "creation_date": "2026-03-23T11:45:29.977571Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977576Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e4ac5c7fbb41ee988029b27d8b6be574725689fd1365f5a56f5a12d9120f86c6", "comment": "Vulnerable Kernel Driver (aka CorsairLLAccess64.sys) [https://www.loldrivers.io/drivers/a9d9cbb7-b5f6-4e74-97a5-29993263280e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "90f9224e-d2e7-5b8f-9693-87166a8ab05b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475539Z", "creation_date": "2026-03-23T11:45:31.475543Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475553Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f7000fda0f12ed88ec7918021caed1c6d18248c31cc5e4043dff1016fe2470ab", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "90ff1411-47c9-5655-9c0e-87cd7acc258b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473572Z", "creation_date": "2026-03-23T11:45:30.473575Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473584Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b1375cb06b0e1ec47e3afea13824cff8f3d9d995960556c0795e9bec0fe48b70", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9101d8b1-6f1b-5c63-a79e-a72b759aef3c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817417Z", "creation_date": "2026-03-23T11:45:30.817419Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817425Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "79247cd973878500461753431f1528ed35e5f85a8978bf68ac211335ffcae27a", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "911768ca-1f42-5ed1-8237-9f524b6a8a38", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815272Z", "creation_date": "2026-03-23T11:45:31.815274Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815280Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d93c9ff5be30340df129c7fbeab0657228adbc69a6a41ef18fa870c67896a013", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9120f31c-1796-5992-89a9-3004655bca09", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475987Z", "creation_date": "2026-03-23T11:45:31.475991Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476002Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3f3675944cb37db65ef8e924d5d38142d161b76e2895e0776669cad217594c00", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9128c603-cd3c-520a-a6b6-c37da59a15c8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149075Z", "creation_date": "2026-03-23T11:45:31.149077Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149083Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ada6b01f7bebb33525bf3df2d7f353461a26f81aaf6fe152081ce18cb97216d3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "912cd4ea-7e68-5d4a-9c23-cde44c74825f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610638Z", "creation_date": "2026-03-23T11:45:29.610640Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610645Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8e5aef7c66c0e92dfc037ee29ade1c8484b8d7fadebdcf521d2763b1d8215126", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "912d96e9-d29e-5da1-9c60-9ee8900e5ed9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826656Z", "creation_date": "2026-03-23T11:45:30.826659Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826664Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "accf1ca6cdc769088de122167fbe39ccedb7265b70a0874cfe5c74fcead44b53", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9130b846-0c6d-5edc-a5c0-247819e459d5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475504Z", "creation_date": "2026-03-23T11:45:30.475507Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475516Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0856a1da15b2b3e8999bf9fc51bbdedd4051e21fab1302e2ce766180b4931d86", "comment": "Vulnerable Kernel Driver (aka Blackbone.sys) [https://www.loldrivers.io/drivers/b9b835bd-b720-424b-9160-2442bc4d6e58/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9136c9c0-7cca-52b4-a5bb-36a81995d6c5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829307Z", "creation_date": "2026-03-23T11:45:30.829309Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829314Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b03990f69862eb3b2a43c484a46c55122ab39184423fe2dd86f656014345d48", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "91372f37-1686-5019-b33b-71ad24e9e2f3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487199Z", "creation_date": "2026-03-23T11:45:31.487201Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487206Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8d6c7f8db8ad3c06a87a909582b3d57fd2c4610dfb29dd84a682a58522baa7bc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "913cf8a3-0d0a-5a10-b354-48d3861cc0da", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480301Z", "creation_date": "2026-03-23T11:45:31.480305Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480315Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "23bfa2f2b253cacd504bf7141aacf95542508138eaaf11552f33e914b098c9cb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "91555588-79da-56ca-99f9-eba95eea2ba5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816707Z", "creation_date": "2026-03-23T11:45:31.816710Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816718Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bd0052710de851fdb5d8f0fa875ac925f026b13b888c2439f3fd9038932f85ef", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9156020e-a274-5d99-8854-4d6a9478f5aa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488943Z", "creation_date": "2026-03-23T11:45:31.488945Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488958Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "423eda2ea7f8197dc85633096f4b005c608a049185907d454efe559d6788eeb2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "916fff25-1937-5bdf-8560-8c46ee17d94c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478317Z", "creation_date": "2026-03-23T11:45:30.478320Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478329Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d998ea6d0051e17c1387c9f295b1c79bacb2f61c23809903445f60313d36c7fd", "comment": "Vulnerable Kernel Driver (aka vboxdrv.sys) [https://www.loldrivers.io/drivers/2da3a276-9e38-4ee6-903d-d15f7c355e7c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "917065f7-dec3-5521-b073-5c1067c35c6d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825102Z", "creation_date": "2026-03-23T11:45:30.825106Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825115Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "48ea9d497622facdf3b510c351059b2a9bedb0863dca334baa1ca70fdab985f3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "917ebf99-a250-562a-b29e-89464db134fb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818243Z", "creation_date": "2026-03-23T11:45:30.818245Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818250Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18047c2d45758a43d6b7e56bcd4aa90354c899795baf944f037850c48d8e892a", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "919513ef-f647-52a4-ba39-c74fcb02e25f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143750Z", "creation_date": "2026-03-23T11:45:31.143754Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143760Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "898fcc32c0c37991f8d4322f24a33c1f39fd73b992d5f70c7393e9b870e46be6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9195dd54-7122-5e27-a305-a55aed05cc05", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968970Z", "creation_date": "2026-03-23T11:45:29.968972Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968977Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7d43769b353d63093228a59eb19bba87ce6b552d7e1a99bf34a54eee641aa0ea", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "919f386d-2cc9-5197-8489-dfff36a6f490", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143492Z", "creation_date": "2026-03-23T11:45:31.143494Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143500Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bbe054c92229e0ddbdf7938d63488f95259f9fe7e67a216d1e6ce98bcbd10a4c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "91b2498a-1f99-59cc-9823-a4dbe564ebd4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467239Z", "creation_date": "2026-03-23T11:45:30.467242Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467251Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e37671575137d4e726efe2cfb730455bfcc5c08d553330dc68840ce8f7c63280", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "91c3b556-41bc-52b8-b2e6-71c0a5053403", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475016Z", "creation_date": "2026-03-23T11:45:30.475020Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475028Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "55054ac1fab3b2fb370640035d50d00ae41775c45a16d0737a11cef1da48faff", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "91c9ccd6-d970-539d-a801-3d06b0290aa6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972226Z", "creation_date": "2026-03-23T11:45:29.972229Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972238Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee625d1910f91fc9e79237bd60b0ee5efb85c7f859922f30e4434db6cd50fa9b", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "91db4c1a-0b1a-5124-8ac6-4e3b4c811f0c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140907Z", "creation_date": "2026-03-23T11:45:31.140909Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140915Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ed3d20dba43947d133ffebe08eb9caf0ca0ad822929af6e3fa9c427fd3dba03", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "91e6480f-a4b4-5263-bc8d-642f594bc441", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615537Z", "creation_date": "2026-03-23T11:45:29.615539Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615544Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1ef80a6b63766ca36e2f2a7d29c49dc5859a58604bd8fde15011d8c379f76e01", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "91e709da-f699-50d7-afc6-87c9d5da2abc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469131Z", "creation_date": "2026-03-23T11:45:30.469134Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469144Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c068b3c86f5776e9a26680952de22e156ec9700d9c1810e5fd344c994d50419", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "91f1af97-5f41-539c-a3e6-1d00ce99e5df", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834270Z", "creation_date": "2026-03-23T11:45:30.834273Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834281Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "940cd600f3a673f646ab309e9d5f916d8071053f3b4b2cb078f3e2af3f9e887e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "91f6c5ec-a8ae-5e8e-ac5a-002cf5d5acab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452341Z", "creation_date": "2026-03-23T11:45:30.452344Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452354Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "743302af4224d5f44489290c01391c03b928126d726b72e7602fe5760e6d9519", "comment": "Vulnerable Kernel Driver (aka phydmaccx64.sys) [https://www.loldrivers.io/drivers/96c8fe71-3acc-41bc-9402-ebd69a961d74/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9200d4ca-f255-598c-8d67-6c5906a24f4f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971597Z", "creation_date": "2026-03-23T11:45:29.971599Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971604Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b529550e8d2ec6133be50d7139179654301ff84ba09da0cd256c5dec924a185c", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "920b2e91-578b-53ae-8b73-3665e05db90c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810750Z", "creation_date": "2026-03-23T11:45:31.810752Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810758Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "90c21147369071ed5a602577047866b8e752a25fc26e47459b3ef907f5cd0bfc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "920ff94f-7482-5884-afe7-594aef5fdedb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822246Z", "creation_date": "2026-03-23T11:45:30.822248Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822253Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f4647364210b9ec997483f9a707a733c4e1b59263c1046301dee90890273f34", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "922128af-2b93-5147-89d4-01d31de02675", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816344Z", "creation_date": "2026-03-23T11:45:31.816348Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816380Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "12017d1a1f91ae937850d8e4314f892125491f60893ee3f7de46c76edbb7b2d8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "922288eb-9c60-5443-ada1-0091e78f03ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144921Z", "creation_date": "2026-03-23T11:45:32.144923Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144929Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "290bc7822da41f0b5580b27c8d14a2a5c3fbe3e4b6921957b134efc6beeb0aeb", "comment": "Malicious Kernel Driver (aka driver_290bc782.sys) [https://www.loldrivers.io/drivers/f5c1a46f-21e6-4b06-b212-2dc55b699497/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9224f3a4-8c72-5a3b-b2bc-67e05a072ae3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620090Z", "creation_date": "2026-03-23T11:45:29.620092Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620097Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b03f26009de2e8eabfcf6152f49b02a55c5e5d0f73e01d48f5a745f93ce93a29", "comment": "Intel vulnerable drivers (aka semav6msr.sys and piddrv64.sys) [https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "92256309-07db-5ad7-adf5-b03b2103b634", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468665Z", "creation_date": "2026-03-23T11:45:30.468668Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468676Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4f5166322f578fb111b6f2af375052008a5263311890f85c3e4ebc9c0f85affa", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "92291545-1709-5502-92ef-498140151941", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968827Z", "creation_date": "2026-03-23T11:45:29.968829Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968834Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f016c80c4938fbcd47a47409969b3925f54292eba2ce01a8e45222ce8615eb8", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "922c9706-07dd-5a3a-b0af-a56cea120412", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150616Z", "creation_date": "2026-03-23T11:45:31.150618Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150624Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f007a84ac447535f44a5c473c73216d51b9bc597842a53eb292174bcc5ebaf73", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "922d36cf-2ab9-5075-84ce-fe8acc60c530", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465850Z", "creation_date": "2026-03-23T11:45:30.465853Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465863Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a1e6b431534258954db07039117b3159e889c6b9e757329bbd4126383c60c778", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "922fc46f-1aa7-579a-ade9-6b5688d38fe4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978894Z", "creation_date": "2026-03-23T11:45:29.978896Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978902Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7f0eef1ed4c1278372348cb52e27dc3aa2f51a8b6a62db39d2af75031e55a8db", "comment": "Vulnerable Kernel Driver (aka LgCoreTemp.sys) [https://www.loldrivers.io/drivers/2c3884d3-9e4f-4519-b18b-0969612621bc/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "92302192-bd99-5149-ac27-6fd880d11b5c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150321Z", "creation_date": "2026-03-23T11:45:31.150323Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150329Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff4952837ec7e41feb582897123a7632c41d98d545ebe7936e1024972254ba07", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9232ee15-20b1-51c0-a21a-6473049d3b51", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828837Z", "creation_date": "2026-03-23T11:45:31.828839Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828844Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "515b1433d863c3c302442c23767325200edef64fab958eb59c6d00f319d473ea", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "925d698f-6af8-5f7a-8c71-8667641d520b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622088Z", "creation_date": "2026-03-23T11:45:29.622090Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622095Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24", "comment": "CapCom vulnerable driver (aka capcom.sys and smep_capcom.sys) [https://github.com/tandasat/ExploitCapcom] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9260e827-f00e-58f0-880f-e0ef15070889", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491629Z", "creation_date": "2026-03-23T11:45:31.491632Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491640Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0a5714bad41aae347b76b8ecc202d5ae92b3c19816b2bf3214fe613a4bdc9995", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "926a7831-82b0-59d6-8683-d5feb1113562", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493198Z", "creation_date": "2026-03-23T11:45:31.493201Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493210Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "024831aba0bd668e0cdf8ec29eee4fcec329ff821b2baa38eda4915f4b9c0837", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "926cc190-8416-5aee-871a-544c57246f77", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820980Z", "creation_date": "2026-03-23T11:45:30.820983Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820996Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "423f052690b6b523502931151dfcc63530e3bd9d79680f9b5ac033b23b5c6f18", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9275f722-0cd8-5907-a3b7-fec782a7edd7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809622Z", "creation_date": "2026-03-23T11:45:31.809625Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809633Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e8fdda338b7f5232978e2a1cbe4b67be0130164dc7e548ee6e555e09aa917f24", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "927606ae-6753-5b07-9c4d-83aa79ce99d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823422Z", "creation_date": "2026-03-23T11:45:30.823425Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823434Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "98ebd924e01b6853307377855678ac6a64544ab3614eafff7b6f5df6ed3066ff", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "92763c03-2760-5d9c-80db-37bd8f8f4769", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499135Z", "creation_date": "2026-03-23T11:45:31.499138Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499146Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "87881cfe09f0f5b5b1a2a1bee260c050940ab35df241099a404cc13a036b7b13", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "92933035-4108-59a6-9518-209e17bb6ab2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974627Z", "creation_date": "2026-03-23T11:45:29.974629Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974634Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d74599ab8960f16e8026dcd564c5407956444c46c3dea6b38b1c243fbbbdc517", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "92959c3d-331a-5bea-8e28-bd75f3730f2a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828991Z", "creation_date": "2026-03-23T11:45:30.828993Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828998Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b1fe6090645df9221ce904c212c5583d1eae6d20cf3292d0abeb4acbe16dbd9b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9299b33e-70d1-52c9-83a3-8b6565b34409", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153202Z", "creation_date": "2026-03-23T11:45:31.153205Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153214Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5f575506837941d91025f94e839bd0b533b01dab253efea0c4a7f9fbd89e2958", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "92a1fd96-4d0c-5cb8-bd6b-dccee5941d96", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143024Z", "creation_date": "2026-03-23T11:45:31.143026Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143031Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e08def1e56b5433b999448d4476a7496355cbfdac1a90bd8948bd8f237225f40", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "92a8c966-b8db-5336-a856-1d5906dfda2e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493239Z", "creation_date": "2026-03-23T11:45:31.493241Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493247Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d08ae4dc2cac242c70820beca3c2977d8af9b8ea9e8611fe0488b9fc1159a415", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "92af07f2-e509-5484-9adc-217cdde7b514", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458465Z", "creation_date": "2026-03-23T11:45:30.458468Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458477Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f4ca9e9507724526f2b624d165750344473d388da38b7f3f6a8366dbc15140b", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "92bb21fb-6c71-541d-9f5b-177bd33bdaa6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144353Z", "creation_date": "2026-03-23T11:45:32.144355Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144361Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "af5a2122b55ee9d8cd3dd49c4ac41bfc9b354912480f06fa7de19829c00c2720", "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "92bb419b-04db-5e2e-889e-3dc2c8e7cf0a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479334Z", "creation_date": "2026-03-23T11:45:31.479339Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479349Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7f9f420e780b3d7a836c09eef910546389310d8bf1ccc7104f711b0430407c2d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "92c5369f-65df-5782-a9b4-ceccba8358dc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830969Z", "creation_date": "2026-03-23T11:45:30.830972Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830981Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "efb1587c1b1ea61a10a68da83b386808102f29253a16339e10b6bfd9c69eaaee", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "92d2048f-b835-5883-aa6e-8cd362a2ecbd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973432Z", "creation_date": "2026-03-23T11:45:29.973434Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973440Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fca10cde7d331b7f614118682d834d46125a65888e97bd9fda2df3f15797166c", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "92d3bbf8-8947-5dac-8f45-9917ccdb5106", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481604Z", "creation_date": "2026-03-23T11:45:30.481606Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481612Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ba40b1fc798c2f78165e78997b4baf3d99858ee39a372ca6fbc303057793e50d", "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "92deb819-4ef7-596b-8fc9-663a54848c4b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828050Z", "creation_date": "2026-03-23T11:45:31.828053Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828061Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "84107d0c7ccd6f88aaa50f4c5185e33df14d16ebf874051c8c0d56ae4d653fb6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "92e7fc75-7718-527d-8a19-5c4a38ae1735", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499082Z", "creation_date": "2026-03-23T11:45:31.499085Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499093Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "419e0a1e0ba3e06442a0076e289e11bfd2566aa1a818787b3231fd64d845d2b5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "92ec7335-c17a-5597-ac00-0f389d1137b8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481776Z", "creation_date": "2026-03-23T11:45:31.481780Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481790Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "63a12cbb24bb2fa057b700fd2c59f24ce916c2124ca193b987e2079fa235c15c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9304882d-d209-51cc-ab16-8101699cb390", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472842Z", "creation_date": "2026-03-23T11:45:30.472845Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472854Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2298e838e3c015aedfb83ab18194a2503fe5764a862c294c8b39c550aab2f08e", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "93049b59-d24d-51ac-9901-45f198e9be4a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152364Z", "creation_date": "2026-03-23T11:45:31.152367Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152375Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "721ab9d65148c5f29f0bc716ce7bbf8159f268108201f50e552bf5ead290cbaf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "931c31c7-03de-5107-9385-17fee16a6bdd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472171Z", "creation_date": "2026-03-23T11:45:31.472176Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472185Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b7d1d1058ebae552d0f030e059b61865d00e0a7227a42024d6e05b1f8b04657b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9321d471-67b6-5357-b93b-38cd0c5c6839", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140319Z", "creation_date": "2026-03-23T11:45:31.140323Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140331Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae4d56428c041fc6a35f79926f9792103042c41a2a64a334b6318d64430cf13c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "932bbe4c-1aaa-57fb-8eed-9fbcc8737645", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823394Z", "creation_date": "2026-03-23T11:45:30.823398Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823407Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "97153fdb315e84580b49aeb66709c419979c26b3ded5f2b4142245c18548eeb1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "933144b2-4e34-5448-9eab-d57143439810", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160777Z", "creation_date": "2026-03-23T11:45:31.160779Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160784Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "094476116a7905fb52057dbfdbb6e37a0a46da61123ac86faefe67b41f7edd7b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "933338b2-0b96-5640-916d-5d55fb1fc725", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817790Z", "creation_date": "2026-03-23T11:45:31.817794Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817802Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0e28fd8e85a380cf4e6abc08cb7e0cb98649a96fa835f8d613bc7ca350e93505", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "933352f8-27af-5cf2-8223-1f6b1a8a63ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461239Z", "creation_date": "2026-03-23T11:45:30.461242Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461251Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "103c1735b0ad3fc22070c3268580cd3fdbef0129a787dbc51bd5d36639515a8f", "comment": "Vulnerable Kernel Driver (aka sfdrvx32.sys) [https://www.loldrivers.io/drivers/6c0c60f0-895d-428a-a8ae-e10390bceb12/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "933356d5-d044-5fff-a472-75966216d56c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606593Z", "creation_date": "2026-03-23T11:45:29.606595Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606600Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bd2d79f3930dab33ec2851c16da7e3043dd819df1592d965ee9d52b91b44ea4c", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "933ca585-c379-5629-b4c7-616612d47581", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614822Z", "creation_date": "2026-03-23T11:45:29.614824Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614829Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a9706e320179993dade519a83061477ace195daa1b788662825484813001f526", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "933dafec-878a-5763-a98a-fd81f3cc2e71", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620478Z", "creation_date": "2026-03-23T11:45:29.620480Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620486Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f88ebb633406a086d9cca6bc8b66a4ea940c5476529f9033a9e0463512a23a57", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "93420501-6efa-5945-aab5-966a810195ae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471440Z", "creation_date": "2026-03-23T11:45:30.471443Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471452Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0897935ff2e0e7cc23a036ec0791d587b4799a299c8d6d65f364a8bdff645760", "comment": "Vulnerable Kernel Driver (aka tfbfs3ped.sys) [https://www.loldrivers.io/drivers/500e07cb-77c6-4e83-ae3f-73f70f1c10b5/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "934a8a7a-cce6-5942-854a-409a5e87dc18", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.471715Z", "creation_date": "2026-03-23T11:45:31.471718Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.471728Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47d2122b487192f6b36f6bcb6b1ff8d3f5c5d2a0088918c88ff2abda965998a0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "935b54e9-353e-5786-9cd6-2df2e52cd2fe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497725Z", "creation_date": "2026-03-23T11:45:31.497728Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497737Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9470208b5df920296d2e006666d56010dc2281298ff9496d3049e6f5cce3301c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9375c93f-645a-5a0d-b7ae-6bdba5540681", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830546Z", "creation_date": "2026-03-23T11:45:30.830548Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830553Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e975e5164f58cd8a540406fd3af42e53ffab7fef8caa9b0c02b6ae45dc35b49", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "937b703e-2e84-5f79-b8c0-0a913c8eef8a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.142727Z", "creation_date": "2026-03-23T11:45:32.142729Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.142735Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c71f2fc9b795c39a73c4dcdd3ad2b7e1204eec3e783d43e47dd72814d33739cd", "comment": "Vulnerable IKARUS anti.virus Driver (aka ntguard.sys and ntguard_x64.sys) [https://www.greyhathacker.net/?p=995, https://www.exploit-db.com/exploits/43139] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "93876cc1-b785-53da-8156-ccef9d16df3e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604464Z", "creation_date": "2026-03-23T11:45:29.604466Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604472Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f8aeb50a115b4d35f15f876eb1a6e5ee5f3a142de12eec50b6bdf81196ffbea4", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "93994cca-607b-5ef0-b432-9fa288fde46e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495707Z", "creation_date": "2026-03-23T11:45:31.495709Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495714Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "92def912354238e7a5c2ad0184f27b4fbbba1b7d6a8741aa9677ce3bf13785d1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "93b266cc-084b-554f-8e3e-14e3fb27b0ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826244Z", "creation_date": "2026-03-23T11:45:30.826246Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826252Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fcc4501b82401f4c01f2b016a258cb7627660d1284ba870ec426e804eeb5d53e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "93b34222-eaaf-5c9f-9ab0-f823633e6aa0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820463Z", "creation_date": "2026-03-23T11:45:31.820467Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820475Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8430d5a27a590697fe71308aff46f6fea1482ed110c55014c050642618f58214", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "93c08e85-33ba-5ce5-82e2-fb4ba445273f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822918Z", "creation_date": "2026-03-23T11:45:31.822921Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822929Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "65972828f8ccff5b09940cf0336d0ca4b812222e53f1718d974d06bedfa074cf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "93c42949-b058-560e-8022-5e25fd5e3afd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976570Z", "creation_date": "2026-03-23T11:45:29.976572Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976577Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "565733b6e6d8f7b9661f04a3b4f29372f5dec080512551204b92ac4916a144cb", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "93cd02e4-7528-581b-a8c4-f804497884ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473763Z", "creation_date": "2026-03-23T11:45:31.473767Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473777Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d1e408acb91b4053ed463244bf095670e12cc28d0fee927a638451ae049fcdc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "93cd1e20-2585-5ce5-9a46-45ce6c7a93c9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829812Z", "creation_date": "2026-03-23T11:45:31.829815Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829824Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ac9a215dc3bec6b9f987bae02fdb90f14ec3ef8a0490b48c40f5317691ee4898", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "93d0c301-7e70-58b0-93ce-0cb85870abac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835518Z", "creation_date": "2026-03-23T11:45:30.835520Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835526Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f38eb237a6e698b504a8763a6cb0223726b17807969a12bc6bd17f66057cd42", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "93e6eecd-85dc-5322-9ac2-a7b7d21654b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985216Z", "creation_date": "2026-03-23T11:45:29.985218Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985223Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6b11aa02ee9e5cb9b6d20aff4f548187f6095b63c5a6215c08b8c2ae69a7a62c", "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "93f19e7d-1c83-5522-9e96-8d8c7802bbc3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833345Z", "creation_date": "2026-03-23T11:45:30.833348Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833357Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c348b0d8d702748fa01443cc735b14de2ad65820f7218f9ffd02692d7eee626a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "93f3d45a-0b98-5d5c-8952-d5f790d719eb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832115Z", "creation_date": "2026-03-23T11:45:30.832117Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832123Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5238c3912c3969d9a005e2525d501a55d177961529b29a54e4d97d235cc65913", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "93feb702-d1ab-54f5-a2e6-5e2b746d7468", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477432Z", "creation_date": "2026-03-23T11:45:30.477435Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477444Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "83a1fabf782d5f041132d7c7281525f6610207b38f33ff3c5e44eb9444dd0cbc", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "93fedf1e-2b94-5a02-a62d-3dcea9a8cd21", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490084Z", "creation_date": "2026-03-23T11:45:31.490086Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490092Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dff9d896a6d9c5e4ad62212f502035c481062a9b7c19fd54658fead161d6a371", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9409edb9-580f-55a9-be15-3069f798b8e1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976982Z", "creation_date": "2026-03-23T11:45:29.976984Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976990Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "762989dc8ea7a6c5928254676052343ab1a15be2fd5ec3ded5f72487127ee590", "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "94129283-00ce-5d94-a24d-75ab2897182c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975343Z", "creation_date": "2026-03-23T11:45:29.975345Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975350Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a076e66065161bdca4680f0f3a3d0767a25c344fa25cc64473f4ef4f926898ef", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "941f0bfb-c9e8-5e10-a4f3-8a7d5a46eb9e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457478Z", "creation_date": "2026-03-23T11:45:30.457482Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457491Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3e1f592533625bf794e0184485a4407782018718ae797103f9e968ff6f0973a1", "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "94239da6-2175-5b8d-8a68-df842b72d335", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612403Z", "creation_date": "2026-03-23T11:45:29.612404Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612410Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "673bcec3d53fab5efd6e3bac25ac9d6cc51f6bbdf8336e38aade2713dc1ae11b", "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9450e6ff-4fce-5edc-88e9-e035eeb71eac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604283Z", "creation_date": "2026-03-23T11:45:29.604285Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604290Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ac76256f8ca6608abe84ca194d46bc581706ecc6813e1abe5fa2b6cc3b4bdade", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "945746b8-d2c9-5696-96c2-fd9626d702c1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159288Z", "creation_date": "2026-03-23T11:45:31.159292Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159301Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f11891bc187a7a7ce69f67866216c3a3a2579c3ed8c8a011ad61eb5e1e811f80", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9463724d-da4d-5296-b4e0-7f6959991a3a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825716Z", "creation_date": "2026-03-23T11:45:31.825718Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825724Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd78008c060e3613053cbccdab514f3622d66bbca32800a00a2c3e7dddf19899", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "946a3ca8-625b-54e3-afb1-08ef8f457652", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469658Z", "creation_date": "2026-03-23T11:45:30.469661Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469671Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "77d7a8efe05ab7041fa33280f271edca9fa46c074885de5d03f4cbf343e65f2d", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "948adb32-87a7-53ee-87ce-2a23c59ac824", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817435Z", "creation_date": "2026-03-23T11:45:30.817437Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817443Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cb3dd0482092eb019dc11797dcf09f69fb3f06330e1fba0047678b226b57c2cd", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "949bdc61-5746-5181-a0b8-309c8d04c0af", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814807Z", "creation_date": "2026-03-23T11:45:31.814811Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814821Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5c0f29e618de3279c8e8acfa40e5401c07babd6745b424c70924e4af4c70a5fd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "94b5c781-0054-51f6-aca2-7c976bf1e3e6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152262Z", "creation_date": "2026-03-23T11:45:31.152265Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152273Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7e9f972b519c685988bc5a7f6c4ccb22b9a772e9656bb993b6352106debe4b61", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "94b86396-5cdb-5c00-9dfa-a058b466d8b5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607979Z", "creation_date": "2026-03-23T11:45:29.607981Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607986Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "478c36f8af7844a80e24c1822507beef6314519185717ec7ae224a0e04b2f330", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "94bd268d-12b7-52ee-8b35-7774be423938", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828311Z", "creation_date": "2026-03-23T11:45:30.828313Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828319Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ba02e43430d579145900f42374fc56bf273024ecfbd44ce5532eda11ac0ba508", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "94be0003-257a-5907-bd65-33d21497d65b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818364Z", "creation_date": "2026-03-23T11:45:30.818366Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818371Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "680ddece32fe99f056e770cb08641f5b585550798dfdf723441a11364637c7e6", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "94d5ac28-9db0-500f-8686-954e961d829b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819585Z", "creation_date": "2026-03-23T11:45:30.819587Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819592Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f4e500a9ac5991da5bf114fa80e66456a2cde3458a3d41c14e127ac09240c114", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "94d60cc0-9cfb-5cc0-9652-0ba2c2dc7860", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970315Z", "creation_date": "2026-03-23T11:45:29.970317Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970322Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f9b01406864ab081aa77eef4ad15cb2dd2f830d1ef54f52622a59ff1aeb05ba5", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "94e2e2ef-8d3e-5f8b-b372-6e6410980cdf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832567Z", "creation_date": "2026-03-23T11:45:30.832570Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832575Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b3832cb8733556dd51ecfe0249453dbb1c2e68a4fadd2ccdda42095e6d34e143", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "94ec62c4-a471-5be9-ad86-3a60a50fa768", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605469Z", "creation_date": "2026-03-23T11:45:29.605471Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605476Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b6a84f7c40ea51c38cc4d2e93efb3375e9d98d4894a85941190d94fbe73a4e4", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "94f48674-5043-5968-8419-00d4647b4c97", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972055Z", "creation_date": "2026-03-23T11:45:29.972057Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972062Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "94f72601-f212-5b22-860a-2e09abaabcc3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812580Z", "creation_date": "2026-03-23T11:45:31.812582Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812587Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3937547494dc6b46f7b584635a8e15d1a63101b4d90a7d11bef54b0d70537e1c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9516741f-12fa-5711-8b5d-cb434fca36c8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819360Z", "creation_date": "2026-03-23T11:45:30.819362Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819367Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e38c1b19e1bef9be8e9d8aa0d599086acb33867988e4077e0e7f35cc2bb30738", "comment": "Vulnerable Kernel Driver (aka hwdetectng.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "952631bf-32cd-5c56-9634-6538d0db7e4b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824349Z", "creation_date": "2026-03-23T11:45:30.824351Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824357Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6ca247c3ca4ba56ca1e2c8a5972d5a147de33b335f0b8dcebc8657cd1c4b5f83", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "952d56b7-e4e1-58ed-b37c-56e68c2bf0fb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836754Z", "creation_date": "2026-03-23T11:45:30.836756Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836761Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6cf4d8c1ec738738fa6c7cd130c9658eb21faaef0a9f8659bde2efaad88d02b2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "952fe222-ddf0-567a-8417-60f175f39a77", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149144Z", "creation_date": "2026-03-23T11:45:31.149146Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149191Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "744ed029e9736a98f8e21b8e5d45e78a1cdeeeeb54701c4777099194de8eb6ab", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "953521ba-e961-5900-9202-58a0d930f06c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823944Z", "creation_date": "2026-03-23T11:45:31.823956Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823965Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "158c24d677ba46f36ee7af78321cc18070518d31d39cba466f121df3025c3ec5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9535de87-b09d-5208-90ee-a4dde33c391c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153230Z", "creation_date": "2026-03-23T11:45:31.153233Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153242Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c96a79153fb6a5cbcea22594e0305c1290f98d22a6205f9c5aaafd86ae3d027a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "953aea04-e443-50f6-a66d-f2ab2cf42983", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480759Z", "creation_date": "2026-03-23T11:45:31.480763Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480772Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "44ec870309da8e35fc9c6cf3b82029ea780a15a6c24a95bbf498f76a1e45f0d9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9550324a-f828-5ca5-9ee7-2ad6504c354e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816809Z", "creation_date": "2026-03-23T11:45:31.816812Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816819Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e599011e68fe87619f887731f8cefff3e7f2379fdb3432b1c0806a7b2908b2a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "95562fd9-1249-5a3b-8500-20568d458428", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829673Z", "creation_date": "2026-03-23T11:45:30.829676Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829685Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8f7b50d590b81850bb0a84fa1314cfd8572abf90fa9b4de8b89e1e9f906df35c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "958d9671-e989-5469-93d7-355e5034fdee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494546Z", "creation_date": "2026-03-23T11:45:31.494548Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494554Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fdbc03908ce11512ba109d53e8d62b27e347683ff6aaad37d48b4eda3d2dddbc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9597b55e-da1f-5527-b410-5788e431c313", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491170Z", "creation_date": "2026-03-23T11:45:31.491173Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491181Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c91902a47dd1324d534da43f97802017525c0569ff43e505d98501fbee10a6ae", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "95bac36c-b45d-5b7c-9f58-023d05e26ee5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477321Z", "creation_date": "2026-03-23T11:45:31.477325Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477336Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e9a210fd7d55526d329aed28aa20a32a706e9a4ae631ae314983b7dadc223265", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "95bfb187-0c64-55d0-a36f-8a40afe1e44f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150530Z", "creation_date": "2026-03-23T11:45:31.150532Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150537Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "44f369c19a088e940ebcecaf4e76ceb5de2df6de99d6ec6eb42d76653e294a3c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "95c44536-5b79-5f23-a681-a8992341b5ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606332Z", "creation_date": "2026-03-23T11:45:29.606334Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606339Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "decba65bbf2232ac55a698539304cab211b45eef0ed17c05dd7995bef2b98fc6", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "95ce19ea-6093-5c3a-b8b8-6e38e5776ca0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.478633Z", "creation_date": "2026-03-23T11:45:31.478637Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.478646Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e867e441d3cd8f642628c2f5fe444c3530fecf8110e854705c7e69fb17361eb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "95de7c68-6302-5c3c-b3e3-c2dfae63c647", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822406Z", "creation_date": "2026-03-23T11:45:30.822408Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822414Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "58d81ddb4104c37284b15fca0d90b4388e430a34d93823df1a3514962dbcddb5", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "95e381d1-773b-59bf-91d2-664882043a0b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499616Z", "creation_date": "2026-03-23T11:45:31.499619Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499627Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8c83a6c5a958d37120860687502a434c1cca089e832e0c6722d10341518d9c2c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "95f15f28-d7eb-5afb-bf5f-8b2996e32d36", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820737Z", "creation_date": "2026-03-23T11:45:30.820739Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820744Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f14da8aa5c8eea8df63cf935481d673fdf3847f5701c310abf4023f9d80ad57d", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "95fd2d2e-65c6-549a-a8a7-a0a064de87b1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810073Z", "creation_date": "2026-03-23T11:45:31.810076Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810084Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd5657f459dfb4f93069a1a9ae1968836a4ef63d88236b65b9bf8a120f0c0495", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "96003a1f-dbcf-51b5-b601-ab7abdbbbbaa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468286Z", "creation_date": "2026-03-23T11:45:30.468290Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468299Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2c44c0464e5b01540ba573be7555b3fcbdb65c9f1193f9c1d02b04c70090d4ac", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "96073a34-cef1-5b14-a28f-f6a4af90d790", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490678Z", "creation_date": "2026-03-23T11:45:31.490680Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490686Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "841d4abdf793d1e16adc215eed8b34ce477a146d1e05620abc6ddfdb0f008ba9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "961faf78-0b83-5c21-b2b2-0e4b70c773c8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.986066Z", "creation_date": "2026-03-23T11:45:29.986068Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.986073Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7aa067d928404795b4eb9c169639f23997227504ca4eb7b5b21518e6155abd47", "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "962039f0-3b08-52d8-89b1-9dc27e23ee4a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452650Z", "creation_date": "2026-03-23T11:45:30.452653Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452661Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5d10285d802fa793c217933c907d82db58977b865b3dad3848c6ed2550022413", "comment": "Vulnerable Kernel Driver (aka phydmaccx86.sys) [https://www.loldrivers.io/drivers/1055625b-3480-48b3-9556-8628a745d8f0/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9629d955-c807-5b7f-b621-1ba06aa31d5c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836771Z", "creation_date": "2026-03-23T11:45:30.836774Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836779Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d98c45421981f03a80c8237c0e04d897d637f5375c9ea31b2d6720dcd1fccc5c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "962b83f0-8be0-5635-af18-0a63b0f55723", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825575Z", "creation_date": "2026-03-23T11:45:31.825577Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825582Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d994c963dd4845936895346870b7d84fec03cc9d1bb495ef7a3049d386b9a1d7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9635663a-e305-5cbc-be6d-6f9493af3e5b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980379Z", "creation_date": "2026-03-23T11:45:29.980381Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980386Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d7b743c3f98662c955c616e0d1bb0800c9602e5b6f2385336a72623037bfd6dd", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "963bc974-a45c-548b-a466-228de2992b4c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493452Z", "creation_date": "2026-03-23T11:45:31.493454Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493459Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e74a5c67a449d84b5ab5c3556e96698f914526e7002bc52be1e59c875e2cea40", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9640599e-f57c-5160-a65c-705e2d1fc238", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155666Z", "creation_date": "2026-03-23T11:45:31.155668Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155674Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0c557d14174aa4690efa1a2cac47c1ff8d31c4ddf83f437b36360cb51b2bb17", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "964c0ff5-2f26-5c7a-a318-dfbb2c216d2d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470192Z", "creation_date": "2026-03-23T11:45:30.470195Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470205Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "951edade4ad00b185929c14622e5efcac1069cadaf6bcc945e744c30f069c9b9", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9655220e-adae-5fd0-b3f8-eef1b28611bb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469806Z", "creation_date": "2026-03-23T11:45:30.469810Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469819Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cbf98b321670fd17462e7ceb8a0d002b9a1474f8015d94ea267a942a2e20c80b", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "965e16ce-e6e8-5fa7-95f1-07a49921cf71", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816555Z", "creation_date": "2026-03-23T11:45:30.816557Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816563Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bb3b45506d203aafb4ef28586c0655cd2e9095e6238a8ccf76ab6eb6113b4476", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9669b12d-935d-52a4-8d5d-fcebc01b711e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809158Z", "creation_date": "2026-03-23T11:45:31.809161Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809169Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3b0c0ebf75a563c07b8406d3946a927e3deb0d60a52600497e4a4eb9dbafe881", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "966baff3-3498-588c-9dbc-26038cc09bf0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828884Z", "creation_date": "2026-03-23T11:45:31.828886Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828892Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7ca8956df2fde0e7ab8fe9f0cc4e03a69b0ff18b39b1618e64ba989a4a14a14e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9676115c-425c-50d9-8d7b-f2a6834d1d86", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477225Z", "creation_date": "2026-03-23T11:45:31.477228Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477237Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3515a69fdcd951f4aed637a3c3356378b56e32d79b7b597d7ae9cc1c153b3b7b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "96795c8f-168d-5c6b-9ebe-59681a2b58c6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808075Z", "creation_date": "2026-03-23T11:45:31.808078Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808086Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "67891a95788e438cd8c1ad5cc8027092e57c081847d019ce33e0b304b9c6a5a3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "96814314-afe0-504c-b038-7dbf0a8c48e3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820530Z", "creation_date": "2026-03-23T11:45:30.820532Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820537Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "31add0358eb679d7c10ac1622403a85891bf764154280a589e71ccd297fc7a16", "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "96835009-f048-5bf0-996a-7ec39ff0c995", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157084Z", "creation_date": "2026-03-23T11:45:31.157086Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157091Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eb492ba828682133959cac42660c30166e7e255d0e78bbd2a150457fc7688c3a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "969aa62d-de2e-5596-a0f8-8a9f52b95028", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478375Z", "creation_date": "2026-03-23T11:45:30.478378Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478426Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d44848d3e845f8293974e8b621b72a61ec00c8d3cf95fcf41698bbbd4bdf5565", "comment": "Vulnerable Kernel Driver (aka vboxdrv.sys) [https://www.loldrivers.io/drivers/2da3a276-9e38-4ee6-903d-d15f7c355e7c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "96b8e774-0125-5361-ade5-34375317bd0f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459624Z", "creation_date": "2026-03-23T11:45:30.459627Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459636Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "44a0599defea351314663582dbc61069b3a095a4ddad571bb17dd0d8b21e7ff2", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "96bd207b-2388-5da8-bb30-67722ca910c6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969292Z", "creation_date": "2026-03-23T11:45:29.969294Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969299Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "be8dd2d39a527649e34dc77ef8bc07193a4234b38597b8f51e519dadc5479ec2", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "96cb1210-1437-5c22-a744-136a6c727149", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612832Z", "creation_date": "2026-03-23T11:45:29.612834Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612840Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "55963284bbd5a3297f39f12f0d8a01ed99fe59d008561e3537bcd4db4b4268fa", "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "96d9105c-054d-5b4c-9566-77bf1d36e7a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150444Z", "creation_date": "2026-03-23T11:45:31.150446Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150451Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "77e42a3df51e106a8f7bc905e9b56b2d7a51fc72777a835d5c0e066be3c37279", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "96d95ca0-26c8-5ddc-9a24-5fe0a96fb5f8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477921Z", "creation_date": "2026-03-23T11:45:30.477924Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477933Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c4fc8f04721363f4b570accf700f507fb0b0381a81d3a8ffb768ded65978ac50", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "96f1f46e-adfb-50a0-a6c6-96d811019e58", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608189Z", "creation_date": "2026-03-23T11:45:29.608191Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608196Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4127dace7354514f4698d94ba29affc9815c6d35b258883028c523fdba675218", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "96f63ecc-b58c-5684-b828-acd7bc0975ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813245Z", "creation_date": "2026-03-23T11:45:31.813248Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813256Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d2749ad65ee9272ed72c9569371b056a2c16d89a63cee3c45bdb447e5e8fdbbf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "96fb724b-9673-53d6-9c08-12b8fb41595a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156808Z", "creation_date": "2026-03-23T11:45:31.156810Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156816Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f011a0917120872193694c73f03788e500b6fc80faea219d876366eb80777fbd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "96fd1301-30e0-560a-ae4f-6ed92f391c68", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616221Z", "creation_date": "2026-03-23T11:45:29.616223Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616228Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19a212e6fc324f4cb9ee5eba60f5c1fc0191799a4432265cbeaa3307c76a7fc0", "comment": "Huawei vulnerable BIOS update tool (aka Phymemx64.sys) [https://www.loldrivers.io/drivers/268e87ba-ad44-4f3c-986f-26712cac68da/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "97030c91-da74-5db6-82f6-9315a1d5dacd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816039Z", "creation_date": "2026-03-23T11:45:31.816042Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816050Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7942bc1c3c3699fc8ca271f42396f9f3115419fd2000bb2271e5c97baf9f0df2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9707d6ff-dc80-5fc4-9c74-80dbac1a6a28", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809701Z", "creation_date": "2026-03-23T11:45:31.809705Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809713Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "689ed52d962fb6e8467ae8acb861e54b67af81a43a09332f84487b7c5a7295ff", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "970dd668-8f04-5344-9ff9-d252646fe0d1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477132Z", "creation_date": "2026-03-23T11:45:31.477136Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477145Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6c50bcdc8b656a8e4eb027cc9bdecde9839b1d264e28d396bd9444ff1fc1fa36", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "97124aee-e046-5366-b6db-4583bd8351e5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971951Z", "creation_date": "2026-03-23T11:45:29.971953Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971958Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dec391d24c986f2d0af0fb680705e4d22ff6f1d8aeb2656c9e7159dd873d22fb", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9712c8aa-d212-596c-8fd9-e08ea37f5cb5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833261Z", "creation_date": "2026-03-23T11:45:30.833265Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833273Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eabb8103cdc97c7cdfaf60424922d10f0c8ed93aa2445d744c7bbf818bf42abd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9718d72e-b3f6-5725-9047-ecb60d7db4ed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821102Z", "creation_date": "2026-03-23T11:45:31.821106Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821114Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a5e58c8d462a64fd87ba105e322ffe187ee3f579b9a4f2d3979a0591e26c7289", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9719fff2-1fb3-5a27-89d3-390ab652d22f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145053Z", "creation_date": "2026-03-23T11:45:31.145055Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145061Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9d81c5fd006b5426dfac0775df41310d4baa7e5658b5dd98c211bb262f162bc0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "971b627c-1aba-5d37-8b5b-971d50ea6320", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490609Z", "creation_date": "2026-03-23T11:45:31.490611Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490616Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b234b96dc4c064eb7cb9a2c742b271519d61eb957c32d2fc8772238f826286eb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9722e225-3c41-52c6-8ea3-5e7e757adea1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968809Z", "creation_date": "2026-03-23T11:45:29.968811Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968817Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0cd4ca335155062182608cad9ef5c8351a715bce92049719dd09c76422cd7b0c", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "972ff264-e540-5887-b3d2-d53553996af0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477200Z", "creation_date": "2026-03-23T11:45:30.477203Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477213Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fed0fe2489ae807913be33827b3b11359652a127e33b64464cc570c05abd0d17", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9733fd1c-53c1-5cf8-836d-d2a760efe781", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454327Z", "creation_date": "2026-03-23T11:45:30.454330Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454339Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56", "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "97381357-272b-501c-8d30-3b07a543cb25", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830034Z", "creation_date": "2026-03-23T11:45:31.830036Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830041Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dffb52619e11ec118a68f4aeebec49a78908de6348ae4db5eed4625028383d34", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9750936e-32e0-5a2b-bad9-30f38d4b73b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810468Z", "creation_date": "2026-03-23T11:45:31.810470Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810475Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0aaa8a63ee22354585282a5aa02148c69931fc569fb059f2caf7cbeab5a81ab2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "97646d4c-e763-5a56-8e49-575609477267", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482696Z", "creation_date": "2026-03-23T11:45:31.482699Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482709Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "60f11064c0db8906831f716c191a602abd44dbb96f07d2a1cda6a973ff2935b8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "977058a3-53ac-5252-a5d7-96237d07dc8a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492126Z", "creation_date": "2026-03-23T11:45:31.492128Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492133Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "61fbeaf94ab0cdbfb6f3ea518929651e83e6fdddc470989aaaa3177ca19350dc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9776d780-c455-505e-8c80-beedeca2cd74", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971125Z", "creation_date": "2026-03-23T11:45:29.971128Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971135Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "00bef60f6b7813aec6733107144dc92f374cea63a7b612f788423bb34f8aabf8", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9776f54a-49ad-5906-8d42-636b19cd8484", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830186Z", "creation_date": "2026-03-23T11:45:30.830188Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830194Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "50e5753471ed74c3bba67d5d959cb7a6f820a93633012c756ed40ebccc44d051", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "97770fd2-96b3-523c-8c57-3be696d76f53", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818983Z", "creation_date": "2026-03-23T11:45:30.818985Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818990Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1126c9b043872383e5e0b1ac893ddf2238a2c130401627b259c81d98a3cefeae", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "97799ae9-e443-592a-85a8-35879126da4d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481256Z", "creation_date": "2026-03-23T11:45:30.481258Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481264Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c0a63e8a6a335f2498794f44cf5629453075f31db314eaecbd964cf615de3f7", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "977cbb47-7a5b-582c-8b85-c282895516ea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826508Z", "creation_date": "2026-03-23T11:45:31.826510Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826515Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "00526be468c68c919a32b110c1faaa50f8ee1646a11ca856a8b6730e5505deba", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "977d5e3d-c3f3-51f6-8c89-da0e14e2efda", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985356Z", "creation_date": "2026-03-23T11:45:29.985358Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985364Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6cb51ae871fbd5d07c5aad6ff8eea43d34063089528603ca9ceb8b4f52f68ddc", "comment": "Dangerous Physmem Kernel Driver (aka Se64a.Sys) [https://www.loldrivers.io/drivers/d819bee2-3bff-481f-a301-acc3d1f5fe58/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "977e93ad-d41f-5c89-8e10-3bf19c3b7ac0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454477Z", "creation_date": "2026-03-23T11:45:30.454481Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454490Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "be690e8bbc4b0ba4b37c1a331294655dff0c73be530428a447e318c06ec06d57", "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "978ebec5-d845-5453-a651-b8fe1c149f0d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460236Z", "creation_date": "2026-03-23T11:45:30.460239Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460248Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d3eaf041ce5f3fd59885ead2cb4ce5c61ac9d83d41f626512942a50e3da7b75a", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "97955461-896c-576a-bf7e-ba061f6c9493", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817339Z", "creation_date": "2026-03-23T11:45:31.817341Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817346Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0df5c9f9fd26de96f6b3d09ddc481921ba209dfcc2bcec2a9e39b7c28b802d16", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "979d1fd2-26c7-53d2-b691-4597d0ac7f8e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479845Z", "creation_date": "2026-03-23T11:45:30.479847Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479853Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2a11b4f125d8537e69af7b684494e49ef2a30a219634988e278177fa36c934eb", "comment": "Vulnerable Kernel Driver (aka capcom.sys) [https://www.loldrivers.io/drivers/b51c441a-12c7-407d-9517-559cc0030cf6/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "97a5cb28-a177-5e1e-9c67-8ebb2c70bd31", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979308Z", "creation_date": "2026-03-23T11:45:29.979310Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979315Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "97a9b11b-fec6-5bfe-a073-41cba37855a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981607Z", "creation_date": "2026-03-23T11:45:29.981609Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981614Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cf16a2218fc8a3b6fa5aa4a0bc6205792798078c380ccc7e5041476e0f1bc53d", "comment": "Vulnerable Kernel Driver (aka netflt.sys) [https://www.loldrivers.io/drivers/35a9afeb-18f1-4c02-a3aa-830e300138ae/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "97d5651e-65da-5d02-9384-02f33d63639e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821539Z", "creation_date": "2026-03-23T11:45:31.821541Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821546Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5404f100c0171f3485183a38770a5c37d0393aa25ce0d5a4fbb52111ecb765e0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "97deb0e1-f465-5e36-a73e-a01d6517cfb6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155736Z", "creation_date": "2026-03-23T11:45:31.155738Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155743Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e95506050b5df4ccfc2b5a109022ade66604dc5dd306c7975b2e66d3888f70a5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "97ebd72e-eb90-5295-ba77-fc1e62a124a7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609771Z", "creation_date": "2026-03-23T11:45:29.609773Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609778Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aa0a1de59d8697c5f39937edeb778fde7c596b71d64d3427c80fe4c060488990", "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "97f330cc-c639-59d0-a317-d5e284fc011e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454681Z", "creation_date": "2026-03-23T11:45:30.454684Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454694Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "16360ead229b13deb47bc2bef40f282474c9f18c213c636cdfb8cc2495168251", "comment": "Vulnerable Kernel Driver (aka inpout32.sys) [https://www.loldrivers.io/drivers/97fa88f6-3819-4d56-a82c-52a492a9e2b5/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "980692a7-4c61-57d0-886e-dd8834c9972f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978934Z", "creation_date": "2026-03-23T11:45:29.978936Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978948Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d5562fb90b0b3deb633ab335bcbd82ce10953466a428b3f27cb5b226b453eaf3", "comment": "Vulnerable Kernel Driver (aka Black.sys) [https://www.loldrivers.io/drivers/4b047bb8-c605-4664-baed-25bb70e864a1/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "980bc68d-00c6-5359-a3cc-1fdbe8a9cd69", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142273Z", "creation_date": "2026-03-23T11:45:31.142275Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142280Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "91d9c3744283f31c43f10a876561d6700f3be19518b853ea2709fda9105427b2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "98163504-9b9b-563c-80ca-25a543fbb298", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480903Z", "creation_date": "2026-03-23T11:45:30.480905Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480911Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "506f56996fbcd34ff8a27e6948a2e2e21e6dbf42dab6e3a6438402000b969fd1", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "98173fa1-f433-56cd-8ffe-3eb14597a7bc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494923Z", "creation_date": "2026-03-23T11:45:31.494925Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494931Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "544e22290e9fba525d2b2df5e3414dffeab7bcc35a87fa18f46a00eab18aeb33", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9818331a-6327-53d6-9d6a-48d7852fa471", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150303Z", "creation_date": "2026-03-23T11:45:31.150305Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150311Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3b5ecb39dafef2cff4b537cd59926f522cf6bf10e01bb28100e6250ffc3cbf9a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "981c6eb3-abaa-5df6-945c-dc0f6c45cf73", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146302Z", "creation_date": "2026-03-23T11:45:32.146306Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146311Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fcae081ec5093f2f794e0fe32456a07d2294decea356ba84f5ca7c0af407b671", "comment": "Vulnerable Kernel Driver (aka ampa.sys) [https://www.loldrivers.io/drivers/ea0e7351-b65c-4c5a-9863-83b9d5efcec3/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "981e9404-386b-5f2d-ace0-1dda94f9fe31", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143399Z", "creation_date": "2026-03-23T11:45:31.143401Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143406Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f1838791999449fc15002e3330be19ce6b75b26ddfda132c5b37eefc72526c67", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "981fade0-290c-5433-a590-4d5afb3c4c24", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468889Z", "creation_date": "2026-03-23T11:45:30.468892Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468901Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0feb05a7cc11793d995c920779cffeae68afabc54ffa8d8c361e5ba44fa57c8e", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9820a6f1-ae4c-5ae9-a127-d631309e005f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140672Z", "creation_date": "2026-03-23T11:45:31.140673Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140679Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b8989e81bbf4a0952dac26a326e2defad8d36dc1848a095ddceb19d9e443324d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9823f788-3c66-5e83-8bb0-ee6661f477ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154570Z", "creation_date": "2026-03-23T11:45:31.154572Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154577Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f6a638c49b088c9abe20b7e882ddb0924ebd55330d412272e0c7b953bc2357e8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "98279125-1391-5a8e-bd72-8760392948cb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826474Z", "creation_date": "2026-03-23T11:45:31.826475Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826481Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a30e3faa2799870ce719d9c56250454cc3c91508a42ed39b44b81c0d6e8cfc94", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "982d1884-55c3-5868-9391-34d4ed0900de", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487684Z", "creation_date": "2026-03-23T11:45:31.487686Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487691Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9475319aa880489e6eec14e3d66501fc83be4395e07c4927666166fd4ece0021", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9855b557-535b-5391-8a12-75d1bce128a6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975855Z", "creation_date": "2026-03-23T11:45:29.975859Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975867Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a2353030d4ea3ad9e874a0f7ff35bbfa10562c98c949d88cabab27102bbb8e48", "comment": "Gigabyte vulnerable driver (aka GVCIDrv64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "985ac503-7706-5cda-857f-653a0fe2d26c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622810Z", "creation_date": "2026-03-23T11:45:29.622812Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622817Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c3a215473d836c1d7315f371bff4dea956d7d1b440e43b4671f6e3772bae00dd", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "98716085-24c3-539f-ac5a-dc345fc05b5d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829115Z", "creation_date": "2026-03-23T11:45:30.829117Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829122Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "122914d3e9b1a490871c4bbad1d5e7b5da9365fa1b34fac02c86873b2008770c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9884c5f5-0f98-5244-85a7-09bada13d9e8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817626Z", "creation_date": "2026-03-23T11:45:30.817628Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817634Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b3a191ccd1df19cdf17fe6637d48266ac84c4310b013ad6973d8cb336b06ff69", "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "98871817-2288-55f3-a5c2-2eae8c0e39b3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967344Z", "creation_date": "2026-03-23T11:45:29.967346Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967351Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "659e0d1b2405cadfa560fe648cbf6866720dd40bb6f4081d3dce2dffe20595d9", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "98949474-b29d-518b-9c62-bfb084086ccf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464118Z", "creation_date": "2026-03-23T11:45:30.464121Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464130Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b169a5f643524d59330fafe6e3e328e2179fc5116ee6fae5d39581467d53ac03", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "98960ee9-4fd4-59f4-a2c8-50e6d490d40b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498712Z", "creation_date": "2026-03-23T11:45:31.498715Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498724Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "770c2dfb24bba62e826160247e0a99152da04d27e8b6e115a3f474367cb9ee9d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9897001c-21d3-5425-b60f-3523835af690", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617237Z", "creation_date": "2026-03-23T11:45:29.617239Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617245Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1b845e5e43ce9e9b645ac198549e81f45c08197aad69708d96cdb9a719eb0e29", "comment": "Noriyuki MIYAZAKI's WinRing0 dangerous driver (aka WinRing0x64.sys) [CVE-2020-14979] [https://www.loldrivers.io/drivers/f0fd5bc6-9ebd-4eb0-93ce-9256a5b9abf9/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "989c0ab7-a942-5f7d-a300-58639fe30fe2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827479Z", "creation_date": "2026-03-23T11:45:31.827482Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827487Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3bb2b1b6160b22aec3cf19a98d196c84eba631c6f834f62ad2446e59ff3a036f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "98a10276-5ee4-5849-b8a9-dae4ee9c2250", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612127Z", "creation_date": "2026-03-23T11:45:29.612129Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612136Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f18605a691056b446c6411b7fa841b8178059bde8094cfe9013e59f4663cdf7f", "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "98a659ff-17ff-5c38-95da-995b3f7d75e1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155718Z", "creation_date": "2026-03-23T11:45:31.155720Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155726Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "74bc7ae43c81d7d15c53d1182a7c531928849af5a8f7a0efc330b1c06a1fd124", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "98a71bc1-72a2-5132-91a8-247c20d6bfaa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475283Z", "creation_date": "2026-03-23T11:45:31.475286Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475296Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e1505e946a9a25ab41592508a479846bfaaddcd7e78216cb199dec969247de48", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "98a7d636-307f-56a3-8f0b-2207a6af3762", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476820Z", "creation_date": "2026-03-23T11:45:31.476824Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476833Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6a4c13dd5f92998c181129822281408859e2aad4616d3f05f935c0e9ccd19137", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "98accf8d-268d-5b0c-afd5-f4afb4f1f8cc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828507Z", "creation_date": "2026-03-23T11:45:30.828509Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828515Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "665dc47a18dbaa857591a35072a24032c26a05167823950dda3f2b5791ae027c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "98bcf4cc-3020-5c16-9f72-d3dada4c6ed5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826084Z", "creation_date": "2026-03-23T11:45:31.826086Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826092Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f2d89424cae23b487c0f580f69cdb0ea2da8a58bc038f554e3fed210776bff35", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "98bd7951-ad9a-5726-8f32-85a341713d30", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974333Z", "creation_date": "2026-03-23T11:45:29.974334Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974340Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6ad7bdf11a7ce7296a06eb4f14091df84fafdb04413e714f09f9ea6c686a1323", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "98c2e70b-1d51-53f5-9ed4-2f3fe7196040", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617202Z", "creation_date": "2026-03-23T11:45:29.617204Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617209Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47eaebc920ccf99e09fc9924feb6b19b8a28589f52783327067c9b09754b5e84", "comment": "Noriyuki MIYAZAKI's WinRing0 dangerous driver (aka WinRing0x64.sys) [CVE-2020-14979] [https://www.loldrivers.io/drivers/f0fd5bc6-9ebd-4eb0-93ce-9256a5b9abf9/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "98c3c19b-90c1-5c90-a9de-8a522f13d080", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817686Z", "creation_date": "2026-03-23T11:45:31.817689Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817697Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "901a8d1e209b63a83a16d870a5563a2d51db27f1bea484f42f234fc8ee0d6595", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "98c6e807-cc00-5ede-8bd1-771b12ac761b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143594Z", "creation_date": "2026-03-23T11:45:32.143596Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143602Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c35cab244bd88bf0b1e7fc89c587d82763f66cf1108084713f867f72cc6f3633", "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "98c70085-c674-592c-ae8e-bca53da23384", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985740Z", "creation_date": "2026-03-23T11:45:29.985742Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985748Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "23e89fd30a1c7db37f3ea81b779ce9acf8a4294397cbb54cff350d54afcfd931", "comment": "Malicious Kernel Driver (aka malicious.sys) [https://github.com/zeze-zeze/CYBERSEC2023-BYOVD-Demo] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "98d18dc5-d517-5700-b173-f61ea7994452", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810415Z", "creation_date": "2026-03-23T11:45:31.810417Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810423Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "90c0b84e071d00031d7c429b667af2df9caaf83e2ad5df14606016dc26006893", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "98daac20-5062-5e00-ab18-49c14c5188ed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810930Z", "creation_date": "2026-03-23T11:45:31.810932Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810938Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6b3a2145383699b2bec4d5c54ee6ccabeb3b1ce316db81cccc5fac2d40ee5564", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "99078a23-fb8c-5c6d-b22b-ea7812c56b61", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143096Z", "creation_date": "2026-03-23T11:45:32.143098Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143103Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a41e9bb037cf1dc2237659b1158f0ed4e49b752b2f9dae4cc310933a9d1f1e47", "comment": "Vulnerable Kernel Driver (aka echo_driver.sys) [https://www.loldrivers.io/drivers/afb8bb46-1d13-407d-9866-1daa7c82ca63/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "99078e89-79b3-52a8-9d89-cb693ed496ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452738Z", "creation_date": "2026-03-23T11:45:30.452742Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452751Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "feef191064d18b6fb63b7299415d1b1e2ec8fcdd742854aa96268d0ec4a0f7b6", "comment": "Vulnerable Kernel Driver (aka fiddrv64.sys) [https://www.loldrivers.io/drivers/64f3d4b0-6d2b-4275-b3d4-15d092af4092/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "990e9f03-dc6a-5661-8f56-3b342d77e12f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157101Z", "creation_date": "2026-03-23T11:45:31.157103Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157108Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e97da3dd77998a3b28a21f73d996613b10926dca1496f66f2aa928e44e967ea5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "990ea36a-da4f-5779-9c6e-d27330140e6c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480843Z", "creation_date": "2026-03-23T11:45:31.480846Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480854Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e53f7184c76652cb62d46440b14c331ae2e27018497d827d125169c959dc2950", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9917aa9c-8f2e-52dd-ab92-c987e6b2976a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610104Z", "creation_date": "2026-03-23T11:45:29.610106Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610112Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2a9d481ffdc5c1e2cb50cf078be32be06b21f6e2b38e90e008edfc8c4f2a9c4e", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "991b5bca-5c20-5b7c-a3d5-61827690242a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980413Z", "creation_date": "2026-03-23T11:45:29.980415Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980420Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e77786b21dbe73e9619ac9aac5e7e92989333d559aa22b4b65c97f0a42ff2e21", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "99253507-6863-50b3-85a6-77bf8607ef07", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146801Z", "creation_date": "2026-03-23T11:45:32.146803Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146808Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6a2a0f9c56ee9bf7b62e1d4e1929d13046cd78a93d8c607fe4728cc5b1e8d050", "comment": "Vulnerable Kernel Driver (aka CSAgent.sys) [https://www.loldrivers.io/drivers/9974b134-7fee-4c7a-9b0d-38b3b2d7e957/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "99281d70-da9e-580a-9d01-b8d73c63f114", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972474Z", "creation_date": "2026-03-23T11:45:29.972476Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972481Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "58a74dceb2022cd8a358b92acd1b48a5e01c524c3b0195d7033e4bd55eff4495", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "992e2097-5c6e-5899-a3b6-c9435436ec22", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470520Z", "creation_date": "2026-03-23T11:45:30.470524Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470535Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e1b3a3a67599aae12c073ba5ca0928c2c316d438c2b5462194c97687dda64903", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "992f4778-07a1-5cdc-bd68-6de12f3fdcc5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835928Z", "creation_date": "2026-03-23T11:45:30.835930Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835935Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0beeaa2d2dc2bb86bfbf82651967d3edff104c565cf94b57b853adc70e8429fb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9933d83a-1366-5eec-b7e4-db339e2ef8c0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479686Z", "creation_date": "2026-03-23T11:45:30.479688Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479693Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3972159a58fd04da06f648c3828648cf394d3eb6af89538166cae8e6184c3eb6", "comment": "Vulnerable Kernel Driver (aka amifldrv64.sys) [https://www.loldrivers.io/drivers/a5eb98bf-2133-46e8-848f-a299ea0ddefa/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "993772fd-1844-50bc-be33-e18d49270d62", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821926Z", "creation_date": "2026-03-23T11:45:30.821929Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821938Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7436cb59411572a6194bfffad9f9e5194107da417457d4e20a6ef1d58491e3c9", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "994113c1-2bc3-50b4-884e-9000a46dc595", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475185Z", "creation_date": "2026-03-23T11:45:31.475190Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475200Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6267d7ad1aa3b2971299791711f0a06ac7d7813c20b61c8122953adcb55c9735", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "994e8590-5ad3-5b35-b8ea-ab50ba267657", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621315Z", "creation_date": "2026-03-23T11:45:29.621317Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621323Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c3e3719ca592ba65a67f594ec1a08d0d7ad724b088be77d48cb33627c56f4614", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "99577592-78e7-50a2-930b-fc4e0a5e76cc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486773Z", "creation_date": "2026-03-23T11:45:31.486776Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486784Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ce30adf8c4332331dd63ebc3d6c12b21598c85131536fb7aa8f79dac4975811", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "995e179d-5850-58a2-9acf-93871281a07b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968096Z", "creation_date": "2026-03-23T11:45:29.968098Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968104Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b6191fbda54fba328446966bec7a7208159507a8f64213e2a7202b07af14a538", "comment": "Projector Rootkit malicious drivers (aka KB_VRX_deviced.sys) [https://twitter.com/struppigel/status/1551503748601729025] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "995f0244-9c75-555f-92f2-26e453da7adc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493489Z", "creation_date": "2026-03-23T11:45:31.493492Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493501Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c49c9d1e3ef2bc179db8e288ac0db8487447b2f59acc7bce7c610796e49fa4ad", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "996aab3e-906f-5a01-9e8d-ddd853926182", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140988Z", "creation_date": "2026-03-23T11:45:31.140990Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140996Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9abd8ca4557157de1f04c741ab1e23d428e61b9e02969ef7670644dd502e44d1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "996d17ef-9155-50ee-b7c2-f02b54e64490", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468982Z", "creation_date": "2026-03-23T11:45:30.468985Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468993Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9f35c5c9f95979f227b6d35f767dd94424285f8960c904188f0624d786ff793c", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "999f819f-bfd7-5c3d-83be-d3fc4d8b6b24", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810273Z", "creation_date": "2026-03-23T11:45:31.810275Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810281Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a1c8ebe32fd9e469c1a296ffec12d3ba0a22215a971a8bd5f0fd472e004c6422", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "99acf67e-3e83-5e27-a38a-050ae8807a47", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812099Z", "creation_date": "2026-03-23T11:45:31.812100Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812106Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b558f5f0986b32dae4da3c78671aec42b72b701978259f851bb69baf3bd546f1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "99ade27e-8f1d-5fbb-919a-8f10d0ae83c0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140363Z", "creation_date": "2026-03-23T11:45:31.140365Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140371Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c3ca4c909c558f4475bf892dda820fd5031b03ff5ed96495b358ab0edfd9d1ac", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "99be11e0-7d01-5020-921c-d0ea22ea8c9c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622297Z", "creation_date": "2026-03-23T11:45:29.622299Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622304Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "79e87b93fbed84ec09261b3a0145c935f7dfe4d4805edfb563b2f971a0d51463", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "99c5bf2f-456b-52f8-9886-d4ce602ff5bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140745Z", "creation_date": "2026-03-23T11:45:31.140747Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140753Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "26e74cb34a243c8f18f5e4ea5ec95533f2bcca6bc9d3ec9269f6fe4108333a4a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "99c62b88-066b-5414-babf-089c060aa7b9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979912Z", "creation_date": "2026-03-23T11:45:29.979914Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979919Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9f4ce6ab5e8d44f355426d9a6ab79833709f39b300733b5b251a0766e895e0e5", "comment": "Vulnerable Kernel Driver (aka FairplayKD.sys) [https://www.loldrivers.io/drivers/31686f0e-3748-48c2-be09-fc8f3252e780/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "99c95f3c-575e-55af-b662-0d99816982c2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811453Z", "creation_date": "2026-03-23T11:45:31.811455Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811460Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0a1627b5e27ab1cd78eaa70d9a405a30f0638c4527c786c14b1f65d1e90c453", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "99d00c9e-e2fc-5b33-b3cc-1de749780df9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154604Z", "creation_date": "2026-03-23T11:45:31.154606Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154612Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "536990bb05abc07cbbb1bf7a3640807f4217fc68954fae7bba6c69222db031d3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "99d203bb-5786-58c2-a06a-466336ed3b81", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611892Z", "creation_date": "2026-03-23T11:45:29.611894Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611899Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "46cf46e1073b7c99142964b7c4bef1e5285fabcf2c6dbe5be99000a393d9f474", "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "99dcf548-6afa-552f-b323-ba8c2614b92d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825249Z", "creation_date": "2026-03-23T11:45:31.825252Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825261Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4a16aaaf76fc0a94f8095ae748e7ae9da0a4e31ffe76492fc6322228f3ebdaf1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "99ea1204-3511-5dae-9858-c38f27204fe8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605228Z", "creation_date": "2026-03-23T11:45:29.605230Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605238Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fde1b9d335167c72d64f2a47e71594ba9b6ce1a967aefc86968e9fb3e75f68dc", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "99f1fb94-30e7-5c0e-8bd4-f3f48a62184d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613718Z", "creation_date": "2026-03-23T11:45:29.613720Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613725Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "86a8e0aa29a5b52c84921188cc1f0eca9a7904dcfe09544602933d8377720219", "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "99f33522-ce9e-5bf8-acf6-bd935d1dd7a7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.478662Z", "creation_date": "2026-03-23T11:45:31.478665Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.478673Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "38ada3d86644fbf19025a9af5f00f6ffa69b1184d22e83abd43717e826b788f6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "99fb5604-e536-58eb-a964-4bc491450d75", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605845Z", "creation_date": "2026-03-23T11:45:29.605847Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605852Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e3f2ee22dec15061919583e4beb8abb3b29b283e2bcb46badf2bfde65f5ea8dd", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9a1b1656-6c47-5d2e-b0eb-557b0b5436b8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983797Z", "creation_date": "2026-03-23T11:45:29.983799Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983805Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "61a1bdddd3c512e681818debb5bee94db701768fc25e674fcad46592a3259bd0", "comment": "Vulnerable Kernel Driver (aka GLCKIO2.sys) [https://www.loldrivers.io/drivers/52ded752-2708-499e-8f37-98e4a9adc23c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9a1ef8f8-3486-5f9a-883a-6baf5f16c3eb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152520Z", "creation_date": "2026-03-23T11:45:31.152523Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152531Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "906fc56b9ac376f202eef00fad708b2ba9b0226eae5d941ccbe772a514367ce2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9a239e43-33b5-5cfc-aa67-eed9c38df89b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825262Z", "creation_date": "2026-03-23T11:45:30.825266Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825274Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "808c745b66231b01d1655ffda763a1a3cb5077541662cdb7de3f5648e0991693", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9a26c4dc-097c-5d0d-81a0-61da1290710c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619665Z", "creation_date": "2026-03-23T11:45:29.619667Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619673Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1d804efc9a1a012e1f68288c0a2833b13d00eecd4a6e93258ba100aa07e3406f", "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9a32445c-0de3-5044-ba0c-2ba635b66d2e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818452Z", "creation_date": "2026-03-23T11:45:30.818454Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818459Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "212c05b487cd4e64de2a1077b789e47e9ac3361efa24d9aab3cc6ad4bd3bd76a", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9a33f32d-c7ef-5437-a35e-47908af457be", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144357Z", "creation_date": "2026-03-23T11:45:31.144359Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144365Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3ba14a1e3e51eaa08fb50d3768297efe407509d7ea52f7a9e7a25aacb25fe0c3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9a373c51-9441-555e-b452-dc2960fb712e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141938Z", "creation_date": "2026-03-23T11:45:31.141940Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141952Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0d470511934c81f329a0801774742e76f7c462ff3b324aeb00bc1861e6d8312e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9a3d5e59-f70a-578f-ab6e-b1de7b283865", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149239Z", "creation_date": "2026-03-23T11:45:31.149241Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149247Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0d890a2dace9686bccf5030ce6c745228e1d2ddf17b5c2f9015c2400e177aa05", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9a3e068d-7c62-5b31-9318-c7e24af8abdc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818888Z", "creation_date": "2026-03-23T11:45:30.818890Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818896Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "559ef0d415c5c3dbc1bfd598f4cad75aac9d4c5c6660fb61b23e44da4dbf89a9", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9a4426e9-1efe-5309-ae00-902995d997c0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813648Z", "creation_date": "2026-03-23T11:45:31.813650Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813656Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "13b5655c58306938d080551c66d473c1d16741a37450e6fba6c25f8ad496771e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9a4ce970-7cd2-5fb0-807d-9ee0d8c51919", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969204Z", "creation_date": "2026-03-23T11:45:29.969206Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969211Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "86a1b1bacc0c51332c9979e6aad84b5fba335df6b9a096ccb7681ab0779a8882", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9a62e65f-a194-500c-84c9-499a17f147d7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145485Z", "creation_date": "2026-03-23T11:45:31.145487Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145493Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0372eb7f1e79114ca1cb9d718b8b4a6297e2c38a460e9c13978b6d052c35b834", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9a648736-1d70-5548-9e5f-4d003f11eb3a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617185Z", "creation_date": "2026-03-23T11:45:29.617187Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617192Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3ec5ad51e6879464dfbccb9f4ed76c6325056a42548d5994ba869da9c4c039a8", "comment": "Noriyuki MIYAZAKI's WinRing0 dangerous driver (aka WinRing0x64.sys) [CVE-2020-14979] [https://www.loldrivers.io/drivers/f0fd5bc6-9ebd-4eb0-93ce-9256a5b9abf9/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9a791e18-a3e5-528e-8275-0f323e4b426c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610975Z", "creation_date": "2026-03-23T11:45:29.610977Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610983Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1399e65aa55c898a6cd5fb32d4b19f5bbaf69c56c1383963c99b7a0804eb0203", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9a7e3c3b-3c13-5aa2-8593-0d5ef08e57ae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979221Z", "creation_date": "2026-03-23T11:45:29.979223Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979228Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cb9890d4e303a4c03095d7bc176c42dee1b47d8aa58e2f442ec1514c8f9e3cec", "comment": "Vulnerable Kernel Driver (aka nt2.sys) [https://www.loldrivers.io/drivers/cacc48e6-6ed8-431c-abee-88ee6c2dc3c1/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9a819009-8046-5d96-a116-6d985de74d93", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457621Z", "creation_date": "2026-03-23T11:45:30.457625Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457644Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "902b754dd302a994074ea8d3e619d2f9000e6c6997e428f19f41533f7c5e192c", "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9a81a80d-85e4-5edb-a62a-d0a52f111990", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971255Z", "creation_date": "2026-03-23T11:45:29.971258Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971266Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9a897261-8c53-536d-8ce9-d993a3a3c599", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616899Z", "creation_date": "2026-03-23T11:45:29.616902Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616911Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "05e2d2f2b58da5391598d30d7f5f33ae38cfeb0d9b9ae19b4312de39c678f301", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9a9442d9-b98b-53a7-9a5c-b2f3b18a975f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141856Z", "creation_date": "2026-03-23T11:45:31.141858Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141864Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7c906804b11db7ca188e268146df47da23c570e4641e02f933ae1d9d3519c399", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9a99b515-0416-5e24-9dd6-c71ad90daf0b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491116Z", "creation_date": "2026-03-23T11:45:31.491120Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491128Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0a81746b9c63ddf4bc6fa6d073a1a98fcacea3a8b628a5d615bf5644d9e0bcf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9aa19a9d-ca6c-54db-bc9e-8e958d640f64", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818965Z", "creation_date": "2026-03-23T11:45:30.818967Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818972Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "23440de2db935be1c06b40ff2809215d00d95930abe3fda70ea57cf8a9fc0e98", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9ac7d5f5-33da-575b-be02-23f76869dc8c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481640Z", "creation_date": "2026-03-23T11:45:30.481642Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481647Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c662ed197a5849cf491ee099885f8855b4f8a3d0f5b664c772f2b89c0314b44e", "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9ac8379c-aeba-52d9-b960-fc24548aac30", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.986014Z", "creation_date": "2026-03-23T11:45:29.986016Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.986021Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7fd90500b57f9ac959c87f713fe9ca59e669e6e1512f77fccb6a75cdc0dfee8e", "comment": "Vulnerable Kernel Driver (aka mhyprot3.sys) [https://www.loldrivers.io/drivers/2aa003cd-5f36-46a6-ae3d-f5afc2c8baa3/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9ac8eaec-2709-5410-9917-ef1c7aa77968", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498938Z", "creation_date": "2026-03-23T11:45:31.498941Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498957Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0814a2a3868c0b660aa4f45294a8d5b7645547a71bee2e9420e9ac54378c7130", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9ad1bdf8-2823-5118-b1dc-7564b78ae958", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982014Z", "creation_date": "2026-03-23T11:45:29.982016Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982022Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1b7fb154a7b7903a3c81f12f4b094f24a3c60a6a8cffca894c67c264ab7545fa", "comment": "Vulnerable Kernel Driver (aka PCHunter.sys) [https://www.loldrivers.io/drivers/a261cd64-0d04-4bf5-ad73-f3bb96bf83cf/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9ad2fe1c-ae81-5c25-b63c-92bf575c12c9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155942Z", "creation_date": "2026-03-23T11:45:31.155944Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155956Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3940329e2f14114ae5b6b043f736fdaf8b52a3a2926c3b5f0679815367acd20b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9ae19ee7-3f06-5bba-b0f8-d2df995da1af", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832425Z", "creation_date": "2026-03-23T11:45:30.832427Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832432Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aff016b1ce411e0858adb479407aebcbb50c5355a76147465a70efb5656ab629", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9af48946-34fb-5838-a330-fc0512979faa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.986195Z", "creation_date": "2026-03-23T11:45:29.986197Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.986203Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "81b772e718e40e8d1d815cb3b16690c1ebd4e0bc555933db306037cc3341537f", "comment": "Vulnerable Kernel Driver (aka pchunter.sys) [https://www.loldrivers.io/drivers/73290fcb-a0d7-481e-81a5-65a9859b50f5/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9af600fd-4e30-5ca9-95b9-98b9962efe47", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985027Z", "creation_date": "2026-03-23T11:45:29.985029Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985034Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bb50818a07b0eb1bd317467139b7eb4bad6cd89053fecdabfeae111689825955", "comment": "Dangerous Physmem Kernel Driver (aka Dh_Kernel.Sys) [https://www.loldrivers.io/drivers/dfce8b0f-d857-4808-80ef-61273c7a4183/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9afffc8a-739f-529f-a019-88e7d8fc36cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976921Z", "creation_date": "2026-03-23T11:45:29.976923Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976928Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b309ab94ce74e0611372374408cd9c83efcfbd58d1b3df2567fcb78ab245b1d3", "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b0a929f-45c8-5f8d-8424-ccd9e124eb08", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822171Z", "creation_date": "2026-03-23T11:45:30.822174Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822179Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "665512fdf31d81504e6540e94d8f1b39f3e56932054a9b83aa4a45360e1c5477", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b0c0519-a67f-57ff-995e-07f8771d9e24", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484751Z", "creation_date": "2026-03-23T11:45:31.484755Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484764Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "13e38c1312d7ac8fac4e6f80c3756f8348e0c566773e290cea6dc176601d9e4d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b0efb40-097f-5aef-9668-4ca4fd0288ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824708Z", "creation_date": "2026-03-23T11:45:31.824710Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824716Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b31a9a31a00498fb7c81761183e390e3c78180e5bcfb2573fdf95d6a628ebf5a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b19490b-3179-54e5-b400-83c063e6dd99", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466326Z", "creation_date": "2026-03-23T11:45:30.466330Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466337Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ac5fb90e88d8870cd5569e661bea98cf6b001d83ab7c65a5196ea3743146939a", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b293db4-99c4-5363-8924-42168070f5fb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604889Z", "creation_date": "2026-03-23T11:45:29.604891Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604897Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6029e838d1573bc036d8f7848e5e4671360617cd138c0e8d5f159a848e5d2782", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b2d0f94-fb1d-5643-8661-a33fcd367338", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972772Z", "creation_date": "2026-03-23T11:45:29.972774Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972779Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "605e0efa14fc8443dc43c2068f17e6f175369909d5f7f1c3730fb5fe062528e6", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b33552b-b583-588d-971c-0a6092e3c879", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813844Z", "creation_date": "2026-03-23T11:45:31.813847Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813852Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e9acd4ef31444f62847ca2d6197f807a88f2539d5cef2c6a14a6fa0b5361b5c1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b379b83-bca4-5e5c-a02e-f9a8fdbab5d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974609Z", "creation_date": "2026-03-23T11:45:29.974611Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974617Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "83a67b544982a2fd1484af752cc4ab2f6c0b50cb3c9dba60b888c2c2e37d1036", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b39597e-e119-5e8b-a4bc-9637fc092ee5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141558Z", "creation_date": "2026-03-23T11:45:31.141560Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141566Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d7f685c13c33b23791328fb4169067755632cb0ee423a3ea465514f8f7311607", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b3a48b4-67cb-534b-b762-d0d0d39c828e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819651Z", "creation_date": "2026-03-23T11:45:31.819654Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819662Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "11b37c27e8598456fa635850d96de920d93062bad509278c074e7502dc3c9b6e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b3ee847-0a69-5ccf-ab0a-5d5b50e48a2e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814338Z", "creation_date": "2026-03-23T11:45:31.814341Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814349Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a23601872001105d92f91118d89c66a3a74c723dae381b821a06357f705ad0fc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b42451e-5d0b-5235-bfad-a3db392e14d8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479386Z", "creation_date": "2026-03-23T11:45:30.479388Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479393Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7164aaff86b3b7c588fc7ae7839cc09c5c8c6ae29d1aff5325adaf5bedd7c9f5", "comment": "Vulnerable Kernel Driver (aka segwindrvx64.sys) [https://www.loldrivers.io/drivers/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b45e5e4-9065-56e6-945b-3093a25deaba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498603Z", "creation_date": "2026-03-23T11:45:31.498607Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498616Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "57390caccbbacd3bc02c80508b3564166e1f8a63c2449ea54334c5ae08ca2615", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b48cf4d-0072-51dd-9b1e-0348c584b62c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608652Z", "creation_date": "2026-03-23T11:45:29.608654Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608660Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3069a07f31cb4a3fd99055cfe33b8efba08859b7d3e225060edc6631b6f44020", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b4914a9-4e9f-5764-903f-f225c30c625b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823106Z", "creation_date": "2026-03-23T11:45:31.823108Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823114Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e9b011f78de85f1fc8668715f2e6d45ac54490de6bfcef4606f5a9b5d4c016e2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b4bca38-85be-52f9-99cb-b705c3f4bb22", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622544Z", "creation_date": "2026-03-23T11:45:29.622546Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622551Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4324f3d1e4007f6499a3d0f0102cd92ed9f554332bc0b633305cd7b957ff16c8", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b55c916-ff55-5a94-95ca-f61f48eba0b0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474088Z", "creation_date": "2026-03-23T11:45:31.474092Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474103Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2d0e06009cc878d926dce6cabea21892a8cccfc1d9aebb64ff63b6db24711719", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b66ff0a-82a4-5db7-8c11-c9c825119b73", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836378Z", "creation_date": "2026-03-23T11:45:30.836380Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836386Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "235195db6d1ecc4c264e231ac07f282d2ce899243ab8509db9d58232a7379b3a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b694244-2a08-5c41-b72f-f3b6a781f45b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154786Z", "creation_date": "2026-03-23T11:45:31.154788Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154794Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e492c59970771138c78b4f8b069c4adec06ccccb0d4275b1d585c80a4e968a61", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b876d8e-9919-5d13-a6d5-95a82d65e4b6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614041Z", "creation_date": "2026-03-23T11:45:29.614043Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614048Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b78cb190a4968d06f2cdab65ea0106bc47eefdaffc871ba5dd2c2dccadb1e403", "comment": "Huawei vulnerable drivers (aka HwOs2Ec10x64.sys and HwOs2Ec7x64.sys) [CVE-2019-5241] [https://www.microsoft.com/security/blog/2019/03/25/from-alert-to-driver-vulnerability-microsoft-defender-atp-investigation-unearths-privilege-escalation-flaw/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b8bf0ad-2273-5c2a-98e2-34d5d33a6c81", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832677Z", "creation_date": "2026-03-23T11:45:30.832679Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832684Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b13314c6f8542d00987278da7bcc3a5833882533c249eee4a4ffed6b01f7e076", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b9ca365-99c1-5227-8d1f-5063fc11ecac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465255Z", "creation_date": "2026-03-23T11:45:30.465258Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465267Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a7a665a695ec3c0f862a0d762ad55aff6ce6014359647e7c7f7e3c4dc3be81b7", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9b9e600a-5acc-541e-b6f7-01e531fda2ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819995Z", "creation_date": "2026-03-23T11:45:30.819997Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820002Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c0a60e07b06033497ded62ed49fbf3eb3d8fe750eebc3f0c332f5d84ab17e045", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9bb0dbd1-7927-5648-9369-9a348f0396d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611779Z", "creation_date": "2026-03-23T11:45:29.611781Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611786Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3871e16758a1778907667f78589359734f7f62f9dc953ec558946dcdbe6951e3", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz141_x64.sys) [CVE-2017-15303] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9bb2fcd0-b870-5e90-87fc-ad499d38ace3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831549Z", "creation_date": "2026-03-23T11:45:30.831551Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831556Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cbb16ed786b6aa2114c413f32b479fb0ad32ef51c3ed2a3bf246c64cc67a2f71", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9bb54a80-8b45-5b34-9847-4885ef01f70d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466413Z", "creation_date": "2026-03-23T11:45:30.466417Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466425Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "02ebf848fa618eba27065db366b15ee6629d98f551d20612ac38b9f655f37715", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9bd20355-6307-566d-9c70-4e7bc74e3dd0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836433Z", "creation_date": "2026-03-23T11:45:30.836435Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836441Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4f38278507925c3b52ed85bc8c9c59ae7165d250c2214ff828e8ff3873e39853", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9bd5fc0f-1d94-5c27-976b-8a7e882016d2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826102Z", "creation_date": "2026-03-23T11:45:31.826104Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826110Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8713acee437abc90d03bc765a51b27cd4e4b1525d191a499e10d0baad1cd4093", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9bdac16c-a7db-50be-8c83-56ee90347f86", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815347Z", "creation_date": "2026-03-23T11:45:31.815349Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815355Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd3307c8636e6789a1ccc4c7906b37d36daa4caa25049e50d40eb66b88a28e90", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9bde7ebb-5a82-52aa-8a92-097be6674b6d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975621Z", "creation_date": "2026-03-23T11:45:29.975623Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975629Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e16dc51c51b2df88c474feb52ce884d152b3511094306a289623de69dedfdf48", "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9bdf68fd-ee79-5447-bb0f-7d4d6c091a4d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823472Z", "creation_date": "2026-03-23T11:45:31.823475Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823484Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "05db222530d33503428366d5fb29a78944343a4fb6491a3814f7e2183671f678", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9be150ae-3697-522b-b0d8-7153e97599d4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493418Z", "creation_date": "2026-03-23T11:45:31.493420Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493425Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "64f6d15237777c9c3eaa1cde000093e324309d74a15394c7f6aa384c6b0322c2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9bf0ff35-5438-59da-b98f-87d679a8172c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464452Z", "creation_date": "2026-03-23T11:45:30.464455Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464463Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8b32fc8b15363915605c127ccbf5cbe71778f8dfbf821a25455496e969a01434", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9c04a409-d24a-51fd-8249-9801f939971a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473085Z", "creation_date": "2026-03-23T11:45:31.473089Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473098Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c11bd3609173965808776513612dc0607b34b949e21331cf470d5c585b20f3e8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9c084e42-f113-586a-8c3c-3b094b5d4cd9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144634Z", "creation_date": "2026-03-23T11:45:31.144636Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144641Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "886aa9c69a2a14e6eccdad7cbb1bbcab8413307c64c746d63d5666d2e10b31ea", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9c09aeae-0810-5134-b61b-abad8b226c0c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830277Z", "creation_date": "2026-03-23T11:45:30.830279Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830284Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "da41cb1410c171dcda483cd1930922aa08385446a452a070f898ce98d3e1741b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9c2508d4-c75f-5f5f-ab3e-42051fdc65ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476214Z", "creation_date": "2026-03-23T11:45:30.476217Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476226Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "87e094214feb56a482cd8ae7ee7c7882b5a8dccce7947fdaa04a660fa19f41e5", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9c251594-9097-508f-860e-851f557c1231", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979082Z", "creation_date": "2026-03-23T11:45:29.979084Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979089Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "23ba19352b1e71a965260bf4d5120f0200709ee8657ed381043bec9a938a1ade", "comment": "Vulnerable Kernel Driver (aka LHA.sys) [https://www.loldrivers.io/drivers/eb07ef7e-0402-48eb-8e06-8fb76eda5b84/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9c3375b7-0084-5b14-8688-43c77eda146d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143910Z", "creation_date": "2026-03-23T11:45:31.143912Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143917Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a6611470131d2bf9f571217bc83ab77e4e8cfa6cd08c6b4b6994a9b045d0a93d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9c383a0c-a508-50c9-81e6-2ff68fdd2fb5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463270Z", "creation_date": "2026-03-23T11:45:30.463273Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463282Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ec96b15ce218f97ec1d8f07f13b052d274c4c8438f31daf246ccfaaee5e1bebd", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9c395aa1-3474-5231-b2cd-5db1377a70e4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832279Z", "creation_date": "2026-03-23T11:45:30.832281Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832287Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e7e0b9ee449be3f6af44d4bc962e5b8e7bcd2fc657796c257a6234920c68ab27", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9c3e97d9-1dce-577b-82e5-2090f5c0c7b6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150479Z", "creation_date": "2026-03-23T11:45:31.150480Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150486Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "381463e3020706e124291c7a6d0df2fbee49e2f695fb8dc027d4ebb03f30134b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9c3ead8f-2cac-5be6-85e3-3c5667f1add9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143077Z", "creation_date": "2026-03-23T11:45:31.143079Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143085Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e7ed5283aa462d89ca12960b6fccad1d86cd3b9bcda9b9e532f937f634950a43", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9c5e7a68-a056-517f-bc63-f8d6189e85c4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156345Z", "creation_date": "2026-03-23T11:45:31.156347Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156352Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f4fe055699c47493921717525e1939c3b4426c65efd1f2e922eefff5c1d3ac20", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9c6d76dc-d377-54bd-8936-126268ea8465", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488776Z", "creation_date": "2026-03-23T11:45:31.488778Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488784Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3b84b2161ca1515e4d503a1ddd8fed1c995e2f4f45ece1f5504059ecf7ea5360", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9c841118-5e96-53b8-8556-66bb845ce94e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459547Z", "creation_date": "2026-03-23T11:45:30.459551Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459571Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e94e8a87459db56837d1c58f9854794aa99f36566a9ded9b398be9d4d3a2c2af", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9c88dbcd-516e-5c3f-9310-905534e65e98", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984804Z", "creation_date": "2026-03-23T11:45:29.984806Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984811Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "913ab7134ea3460e76db753cf68f336ada8f0b9c397be88c75f9567a8694f4a5", "comment": "Dangerous Physmem Kernel Driver (aka AsrRapidStartDrv.Sys) [https://www.loldrivers.io/drivers/19d16518-4aee-4983-ba89-dbbe0fa8a3e7/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9c97c4a0-6717-589d-9ada-2d68e24d8f46", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813740Z", "creation_date": "2026-03-23T11:45:31.813742Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813747Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e32f82241a529082fe33a4bfbd949a50c8ef947f4742cfa4027143afc051784", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9c980820-ef5c-501f-a236-e148171aacd6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972721Z", "creation_date": "2026-03-23T11:45:29.972723Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972728Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "04f771d72a812fe9dd6bced402b36b081c80bd3397fdd66dbaa44906ac088159", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9c9ea072-21ec-55e5-91ed-f144f03f80ea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819175Z", "creation_date": "2026-03-23T11:45:30.819177Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819182Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "713c7a6532cbc952546c3b844ed529b5b285dc29e16036731ceebc6f6431ae77", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9ca1b18b-60a6-5db1-af13-b6c5168b4e9a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155649Z", "creation_date": "2026-03-23T11:45:31.155651Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155657Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b31d89fa12755b4b91cadf4106aa617155a8ee6feac355ab40bf4fe54b4df3e1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9ca41e79-03b3-5654-9813-68078c4775a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982361Z", "creation_date": "2026-03-23T11:45:29.982363Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982368Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dbe9f17313e1164f06401234b875fbc7f71d41dc7271de643865af1358841fef", "comment": "Vulnerable Kernel Driver (aka winio64.sys) [https://www.loldrivers.io/drivers/1ff757df-9a40-4f78-a28a-64830440abf7/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9cb60c53-cc25-5eb3-a624-d22b97780a5e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458992Z", "creation_date": "2026-03-23T11:45:30.458995Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459005Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0eace788e09c8d3f793a1fad94d35bcfd233f0777873412cd0c8172865562eec", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9cb8639e-04d2-52d1-a72a-3a4f69960fcb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616605Z", "creation_date": "2026-03-23T11:45:29.616607Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616612Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e7cbfb16261de1c7f009431d374d90e9eb049ba78246e38bc4c8b9e06f324b6f", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9cc171a0-314f-53a6-9bb6-cdc71b7cb3d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818772Z", "creation_date": "2026-03-23T11:45:30.818774Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818779Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9fa699246d83356d7b4bd99adf3c74f8e0682a650de2687075e70418ee9d5e38", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9cd4d84b-7a24-5985-a128-13cc8ed06361", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142128Z", "creation_date": "2026-03-23T11:45:31.142130Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142136Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e507406311a9ca0620cae70209d97725fb22fdfb4e94b941284fdf5c1e310ba6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9cd914a6-e239-5a25-b2bd-4631f88e0eab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145523Z", "creation_date": "2026-03-23T11:45:31.145525Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145531Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f1c1a28aac308366f9679c2d730e6e93e9f1344c5961242f99f7129f29e50d9d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9ce8fc0c-8b80-557c-a4c7-312d4701a69e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612351Z", "creation_date": "2026-03-23T11:45:29.612352Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612358Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0da746e49fd662be910d0e366934a7e02898714eaaa577e261ab40eb44222b5c", "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9ced9727-4ce2-5198-817f-4b520b5109d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979047Z", "creation_date": "2026-03-23T11:45:29.979049Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979054Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d8f7ddf5de213c6dc0356dc83b6307ec596e66c33c3cdd826a612c12004ba9dc", "comment": "Vulnerable Kernel Driver (aka driver7-x64.sys) [https://www.loldrivers.io/drivers/48bc2815-85ec-4436-a51a-69810c8cb171/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9cefeb14-f96d-5260-8867-d1678c10fb61", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821637Z", "creation_date": "2026-03-23T11:45:31.821639Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821645Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f147b1c5060d3e9305f3a09e03bab079bdc7a964d55e95010a66a7b41981d4d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9cf4752c-0123-58c1-b076-feed5de72170", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494354Z", "creation_date": "2026-03-23T11:45:31.494358Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494366Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b2e3825b2dcdba02bdf30c50735b41accf42da061fb0cbc8da28dbe5dc66394d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9cf79c39-5497-54be-8cdd-b150df53f77d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984547Z", "creation_date": "2026-03-23T11:45:29.984549Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984554Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4530235508b99dffe4e912cc9cac7bdc237e79f5a331f601c43ba909d7a3af4a", "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d008f86-67a2-5015-a43a-906aa897f8c1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498808Z", "creation_date": "2026-03-23T11:45:31.498812Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498822Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "85a384142482e7ae94a3f9b37cd1270391c70731cf3c166167cd763061ad837c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d192b50-4c4e-5273-96c9-65fbd3d1b74a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985867Z", "creation_date": "2026-03-23T11:45:29.985882Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985887Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "30061ef383e18e74bb067fbca69544f1a7544e8dc017d4e7633d8379aff4c3c3", "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d1be502-8b7a-5a1b-9e37-693541c97ca0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821049Z", "creation_date": "2026-03-23T11:45:30.821052Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821063Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f93e0d776481c4ded177d5e4aebb27f30f0d47dcb4a1448aee8b66099ac686e1", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d1d9634-194e-5459-99a3-03cbe3e9b75d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816472Z", "creation_date": "2026-03-23T11:45:30.816474Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816480Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0afba623a3ae2726112c6458c212bb48b210566851b7604ed3fbb880ffd3859f", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d20e6e4-2677-50c7-a41d-fec7be678133", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607071Z", "creation_date": "2026-03-23T11:45:29.607073Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607081Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cddd341f267a6094f7bd7d1b56427ebc029ccb348e7f0714d9301c2c67fdd5df", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d29b928-3941-5375-894b-e2cb6018c08d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499485Z", "creation_date": "2026-03-23T11:45:31.499488Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499496Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a031cd87ef68c07233810f837490d4ffba620cf8e4504f51bf82b4f86602a022", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d29e34d-1e83-5940-bd93-f9e644666667", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495285Z", "creation_date": "2026-03-23T11:45:31.495288Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495296Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "147ac26b660ed4e681e0458e032aeda8c0f0b06abd11c707399a4f0edf063de7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d2a71e5-c7e3-5439-b6f3-51cb4b2aab37", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145791Z", "creation_date": "2026-03-23T11:45:32.145793Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145799Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f06493341f9f16b9d25a3a5e07851dd04b63f36904a21ec1da30bfcb9157724c", "comment": "Malicious Kernel Driver (aka driver_5d61e4ea.sys) [https://www.loldrivers.io/drivers/0215d6d6-e0c4-4a11-bd3a-40511f89d736/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d310a62-9d3d-5977-8cfb-458d3357d46c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452489Z", "creation_date": "2026-03-23T11:45:30.452492Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452500Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "da70fa44290f949e9b3e0fcfe0503de46e82e0472e8e3c360da3fd2bfa364eee", "comment": "Malicious Kernel Driver (aka c94f405c5929cfcccc8ad00b42c95083.sys) [https://www.loldrivers.io/drivers/ddefecdd-9410-46d9-8957-e23aac1aba0c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d31e4f0-b12c-520e-b15c-ba748aeb764e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981183Z", "creation_date": "2026-03-23T11:45:29.981185Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981190Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ba224af60a50cad10d0091c89134c72fc021da8d34a6f25c4827184dc6ca5c7", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d32aa4f-8f6d-5ae0-a0b4-12105a18e2d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148295Z", "creation_date": "2026-03-23T11:45:31.148296Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148302Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c8a092df8fa7012c64769563307b8c39447da1470e6f3b4a324ff98b7549433d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d38d6bc-d7fe-5e7a-bb9c-b92d068c0100", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456537Z", "creation_date": "2026-03-23T11:45:30.456540Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456549Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d3e95b8d8cbb0c4c3bb78d929408b37fd3b8f305b6234f7f03954465d52454eb", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d3db35e-3ec0-535a-a73f-7e86823ed1a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831127Z", "creation_date": "2026-03-23T11:45:30.831129Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831135Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cbba49d8b079613d8fe81944224fcc6e52e71a1eca54cd94ebbf891c091f5ea0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d3fb3ab-1a3d-58d2-9085-d8a25ec9a96a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146618Z", "creation_date": "2026-03-23T11:45:31.146620Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146626Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0fb37657d0f6eb3968be2049eb3135614e33a7b5354f0fa19938b4e07389236a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d628084-850c-5abe-a1d8-03dda5a56313", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498361Z", "creation_date": "2026-03-23T11:45:31.498364Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498373Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3ecc3bf10c95d05622f596ec6f6ca85af85e5dd9c1ab5442052856dbbd62e774", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d6b7f94-66e3-5745-9abd-541b3c5a2ca8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452828Z", "creation_date": "2026-03-23T11:45:30.452832Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452841Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18f306b6edcfacd33b7b244eaecdd0986ef342f0d381158844d1f0ee1ac5c8d7", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d7b1d3c-3ddf-5138-ba70-299e21b66c0d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153396Z", "creation_date": "2026-03-23T11:45:31.153399Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153408Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "89ea6406a18fadbe53c31e678a9bcb6648e6e1b1c11eae319df5d4ee45b7cfc6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d7edbf3-734e-5d9c-a3ad-46ed539d8418", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970781Z", "creation_date": "2026-03-23T11:45:29.970785Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970794Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "68191d76aaafb52bbec5240c3b371e7dd77ff442b4a3394b41cc402402b43717", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d7f11c3-249d-5775-b0ba-0028d6fb8d1d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811381Z", "creation_date": "2026-03-23T11:45:31.811383Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811388Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f1aa668d4a014e08274931a73971c03a27af624936b553df615a52069b6815a1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d7fb28a-52a0-5a96-a924-2b2ffef570bd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822582Z", "creation_date": "2026-03-23T11:45:30.822584Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822589Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4d16e1f28bae42b72cad2b1511ec59968d0659a6913cce8056b4572c20303822", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d894dd5-4a98-5f72-bccb-0d63bd8c07c3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159750Z", "creation_date": "2026-03-23T11:45:31.159752Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159758Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0d56f5b795bb2212a7e09393a8cc0bd86f51241e6fa274179949bfb0ccde0f05", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d8c63e2-5b6c-53aa-8ad1-92a37767214f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835842Z", "creation_date": "2026-03-23T11:45:30.835844Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835849Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "12329b9ab6f14b2ad6cb37e76d6f74e14e5790e829035704ea0f5c7a5751e764", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d94af5a-6404-55d4-918f-f5f7f39e8cfa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978579Z", "creation_date": "2026-03-23T11:45:29.978581Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978587Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "34b3acdeac5002880071f73b70aa3abd3a6facb9e281b5c93cc82a7a8a6d5cc1", "comment": "Vulnerable Kernel Driver (aka IOMap64.sys) [https://www.loldrivers.io/drivers/f4990bdd-8821-4a3c-a11a-4651e645810c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9d9869e2-a925-5ae3-ab47-56662313bb33", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483532Z", "creation_date": "2026-03-23T11:45:31.483536Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483546Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8a6d9f7c20e86d18f329b378991299ff94b7635adf9823bd8ca87eb29010b32c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9da6db87-b3c7-5459-bb02-095f21cb193e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810127Z", "creation_date": "2026-03-23T11:45:31.810131Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810139Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1480fbab723741589d56bc33add490b8b8753b8bfe54db0c13672d4046e22c1c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9dafdc92-6f3a-5b62-80ec-afae3354709e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462257Z", "creation_date": "2026-03-23T11:45:30.462260Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462269Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "184cc3969b79f1856614bed64c1d5562d3363e13a92176f2e9a9235a4aa7d051", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9db59f1b-54e0-586c-a1f2-096d89760999", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145566Z", "creation_date": "2026-03-23T11:45:32.145568Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145574Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3df5f17da8758288b633611afc1c0b6d42c1e56aed5539cfa313986f70ce90e7", "comment": "Vulnerable Kernel Driver (aka ADRMDRVSYS.sys) [https://www.loldrivers.io/drivers/48aeea9b-7812-4b25-9835-baaebe7dc551/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9dbdcbec-ae5b-570f-934a-a202e35a69ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476524Z", "creation_date": "2026-03-23T11:45:30.476527Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476537Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b756d234559ee0ed93328bb598352ead2efb27eabaf1afac5fb3e2f43b9901f3", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9de54a6d-8837-5d73-9395-dfd72ed199fe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154210Z", "creation_date": "2026-03-23T11:45:31.154213Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154218Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1454ead1d04577ee7332b820fa6d15bb0d3c4f676bc1a15eb9fc823dc7e00e03", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9de9d2e6-4a5a-5ad5-bce5-6317d08fe845", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146474Z", "creation_date": "2026-03-23T11:45:32.146477Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146486Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "54942b92790dc0b84c56d4a00f3ac419b0a506344ca7e9f1fb666a86dbc4117f", "comment": "Malicious Kernel Driver (aka f.sys) [https://www.loldrivers.io/drivers/17a1ad58-ecf3-4dea-b1ca-336880d15256/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9df71d7f-9dc2-5088-97a6-20f710b6f54a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142398Z", "creation_date": "2026-03-23T11:45:31.142400Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142406Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d447654a04902b223620e9a5f1247c1c780c37ab0055ea673973b9c93a1a798d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9e01a289-c3db-5125-b41b-3e4677fa8189", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490048Z", "creation_date": "2026-03-23T11:45:31.490051Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490056Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c09d3f977a422a4da35bc8c0c8843618b36fd24fda467a4c9b818099f6f291fe", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9e041b33-1bab-5873-b467-daf187c764ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142203Z", "creation_date": "2026-03-23T11:45:31.142205Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142210Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6f8da066754639522b60aa827389dfdc363899c56a0260ac2fb61f053db4333f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9e0c86be-5196-56b4-866b-5b28cf106569", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149897Z", "creation_date": "2026-03-23T11:45:31.149899Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149905Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "af91b7c87833cf8af531708e945e04061c8eeda1d3115c6458ff82c5cc4d1d09", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9e1396ef-4013-5f65-81c0-47e756c048a6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610335Z", "creation_date": "2026-03-23T11:45:29.610337Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610343Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2a6db9facf9e13d35c37dd468be04bae5f70c6127a9aee76daebddbdec95d486", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9e18d3f2-a41a-5420-9618-2bc4ebd756c1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149915Z", "creation_date": "2026-03-23T11:45:31.149918Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149923Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "538a437a907b471ae2727e9db9abc01322d18a5b35327fe578710f33b7dfae18", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9e1a8fb1-32e4-5c07-93dd-6fb2d76300e9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485770Z", "creation_date": "2026-03-23T11:45:31.485773Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485784Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3e42e77ce4e8ccee8f135311ba69d2e3d7cba2212532f074ac4e284904ee298c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9e3145dd-1266-5ff1-9e6b-7277f0c8198e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814776Z", "creation_date": "2026-03-23T11:45:31.814779Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814789Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "86f2d62b48fcfe930c39b2831cbb74ae0059b5d80a661a4e0935404830d8b5ad", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9e31a86b-23a5-5fd8-984a-a5e9464fc716", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460180Z", "creation_date": "2026-03-23T11:45:30.460183Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460191Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5fe5a6f88fbbc85be9efe81204eee11dff1a683b426019d330b1276a3b5424f4", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9e3aa0e6-100b-5674-9158-b65d1f8f4ca7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817761Z", "creation_date": "2026-03-23T11:45:31.817764Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817773Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c1cf9983c2e1b60ff30ed6536e9ad4c63bccddc70c33fc90817b325ac7e4956c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9e4545b3-a949-59fa-b167-9b105591ca51", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828807Z", "creation_date": "2026-03-23T11:45:30.828809Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828815Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "efc49e1cfae6139fd3b9f17099e560afa0e25c28d3cd44e5873d0feddcde1fe6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9e590472-e39c-596b-bb81-510d66022041", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145071Z", "creation_date": "2026-03-23T11:45:31.145073Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145079Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "39ae7a7a20366cb6b2e6cfec3476429249de837cfb0e1245237d31e4c4e87fc0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9e65a468-a620-5648-871b-283f75f99abe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828672Z", "creation_date": "2026-03-23T11:45:31.828674Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828679Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dc424dc1d8b745d6b961f5c616f641b01edfa06ff1c8c185067b2d7ca9285137", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9e678389-face-5180-accf-a05378066430", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489602Z", "creation_date": "2026-03-23T11:45:31.489605Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489613Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c74b01e02e2a18c353bb67808efbfa766e54f441bf7dbb91bad490e8b58a72d9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9e722cbb-068d-5332-9978-3d03d2763f51", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818807Z", "creation_date": "2026-03-23T11:45:30.818809Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818814Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2418301336cd89b7e3bda2f68bc1aa63b8ea9a75da7a3b40a9ee0a9058789f63", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9e79d08b-fd5f-5223-915d-a88da7a576b3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151362Z", "creation_date": "2026-03-23T11:45:31.151365Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151373Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b80b00d7c1178f9e8568daf72095b3731f02a655872837a98f3afae066934d74", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9e886ee4-27d5-54c6-aea8-4a0020c1ff72", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493383Z", "creation_date": "2026-03-23T11:45:31.493385Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493390Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a01d3842dbeed32beb3ba1b0b5578d4a26a85336f9a75497b4329e6685ea8577", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9e9831e8-7780-5df4-a989-4a1fe7813edd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150125Z", "creation_date": "2026-03-23T11:45:31.150127Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150132Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8face68c6d53a61e5bc75d981fc7639dd861859e8beb7180ad7eb0c12791a6cf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9e9c34c0-155f-55c5-bd96-cc05d8b0f263", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829897Z", "creation_date": "2026-03-23T11:45:30.829899Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829905Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6a678dd8c37435d5b606b41b6232b8a7232f981a1c2295ec4863649e362f8e7e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9ea1e404-a6ef-5776-b0f6-d0d757c8c277", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143475Z", "creation_date": "2026-03-23T11:45:31.143477Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143482Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bf1330ec9304e857d70135e29e91cf0b7926e41a9c34f2d1a798fcf46f573174", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9ec2e2ed-3250-5706-92e9-a608917a39ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977898Z", "creation_date": "2026-03-23T11:45:29.977901Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977906Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217", "comment": "Malicious Kernel Driver (aka daxin_blank6.sys) [https://www.loldrivers.io/drivers/3d1439e9-9a7d-497a-8c6c-74513f825d6a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9eccebb1-ae20-556d-8367-1b093141198c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142255Z", "creation_date": "2026-03-23T11:45:31.142257Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142263Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4f17fa26ccde612a01707f58fa640d520c53aa53631883ade129c675b51c4e0f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9edab224-c394-5d1d-a138-fc171d26521e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154129Z", "creation_date": "2026-03-23T11:45:31.154131Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154136Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e65f7e35b7f76f2a6f1e467380f6b988313d78f80e129c566b0a227cdcb80f4c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9ee02884-8464-5bc8-8f2d-f55ba9395af8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983721Z", "creation_date": "2026-03-23T11:45:29.983723Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983728Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2aa1b08f47fbb1e2bd2e4a492f5d616968e703e1359a921f62b38b8e4662f0c4", "comment": "Vulnerable Kernel Driver (aka AsrAutoChkUpdDrv.sys) [https://www.loldrivers.io/drivers/b72f7335-6f27-42c5-85f5-ed7eb9016eac/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9ee16c4c-00c3-5628-a2f9-ecff75172685", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473114Z", "creation_date": "2026-03-23T11:45:31.473118Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473127Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47c4e9795cd672e4df7905d531ec7a435b7d6487eb3cd1af03cbd9338fda4b80", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9ee422db-5a0a-5212-bf95-d0b61158c11c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620935Z", "creation_date": "2026-03-23T11:45:29.620937Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620950Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6948480954137987a0be626c24cf594390960242cd75f094cd6aaa5c2e7a54fa", "comment": "Phoenix Technologies Vulnerable Physmem drivers (aka Agent64.sys) [https://www.loldrivers.io/drivers/5943b267-64f3-40d4-8669-354f23dec122/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9ef80e90-28ce-5360-b276-7c91c5cebb42", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827734Z", "creation_date": "2026-03-23T11:45:30.827736Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827741Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4e32ad2cc81d76e1fc4343565d192822d3c07a1666614ef9eed373d1a8718f47", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9f1c7bad-adc5-5862-b9c3-6f644b7889c7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488009Z", "creation_date": "2026-03-23T11:45:31.488011Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488016Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ced544aec0b87127e0548af7825a40593152636f7cbbdcd714fbb9f6be1a835d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9f2582b9-4dfb-5c8a-9304-dac83c6d4427", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473455Z", "creation_date": "2026-03-23T11:45:30.473458Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473467Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "58cb5439e34be4ede6d93c463cb0433c99a100a1c06fca777eda751fd72c07bf", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9f3e64f7-cf44-5122-8b0e-6bbf7cece4e9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479511Z", "creation_date": "2026-03-23T11:45:30.479514Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479519Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "61bd9a26c01371d865e681f6354853dc0e27b1064906cd99b15220098be6e88d", "comment": "Vulnerable Kernel Driver (aka segwindrvx64.sys) [https://www.loldrivers.io/drivers/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9f43bddf-9720-5ed2-a68c-defa3ca22e3e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981857Z", "creation_date": "2026-03-23T11:45:29.981859Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981864Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4422851a0a102f654e95d3b79c357ae3af1b096d7d1576663c027cfbc04abaf9", "comment": "Vulnerable Kernel Driver (aka DirectIo.sys) [https://www.loldrivers.io/drivers/ce2d41fd-908f-414c-b6b5-338298f425b8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9f5617c0-7538-55ca-bf2c-cbb7458b914c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817151Z", "creation_date": "2026-03-23T11:45:31.817153Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817159Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e1688a6c7d649ae588ef418fc3732a910a5e9c0d0be02b1f9ea00a0af8cff79", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9f61f096-86e5-5770-b903-f2a833916d78", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500203Z", "creation_date": "2026-03-23T11:45:31.500206Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500214Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e1f4d2141dbe75a2df46858bc9a4fca9a0f40341e1176a06c0053e4c5b3f3ddd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9f76f804-a448-5193-88ee-190fcf61212c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820842Z", "creation_date": "2026-03-23T11:45:30.820844Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820849Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "71c0ce3d33352ba6a0fb26e274d0fa87dc756d2473e104e0f5a7d57fab8a5713", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9f7c0e58-f5a9-5cf4-b97d-486a614fbd26", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490627Z", "creation_date": "2026-03-23T11:45:31.490629Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490634Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "071336578deab97acdc527d45d67122ab60792452e87e2c4266290cf5256ee5e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9f9a184a-250e-54f2-81e1-8fcf735e6d8a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464507Z", "creation_date": "2026-03-23T11:45:30.464511Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464519Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c4fb31e3f24e40742a1b9855a2d67048fe64b26d8d2dbcec77d2d5deeded2bcc", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9f9adde1-e4ae-5b02-b8b2-aafd85316833", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480507Z", "creation_date": "2026-03-23T11:45:30.480509Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480515Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cf63f518c9e45fe87d336c87938eb587049602707f1ed16d605f8521f88e4a96", "comment": "Vulnerable Kernel Driver (aka GtcKmdfBs.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9fa0cc83-f406-59b3-9c36-31847d8bbe11", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472022Z", "creation_date": "2026-03-23T11:45:31.472025Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472034Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8005fee105b6f251dc19050ea88526f12fc87eb9a7326ad65638fe5d0e1d2efa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9fa4c017-9654-5e44-af87-98f895df6718", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157015Z", "creation_date": "2026-03-23T11:45:31.157017Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157022Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18d02775e841b6e56ea1f9b2dc56a3596dc2f3e0480ffd5f0cacf4e7e724de38", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9fa6bfc5-f95e-5596-9358-1c852a366575", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480616Z", "creation_date": "2026-03-23T11:45:30.480618Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480623Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6370c82c2dbdf93608cccb88d78468edeb27f5d08f9ed0baf161842c0751f6a4", "comment": "Vulnerable Kernel Driver (aka PDFWKRNL.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9fb01145-e9bf-5ca0-a00b-6ff17d666196", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472259Z", "creation_date": "2026-03-23T11:45:31.472263Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472272Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c1bb1d40fca74e8b9779f6a8dfe2aa39350fcd046fb132ee1e63f11576c4a1f1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9fb4c515-f2b4-5452-a6a7-498f84863df3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487487Z", "creation_date": "2026-03-23T11:45:31.487489Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487495Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "92e8e56516313d95a3848cc8bf31f62772f9429b24005d59ccf45fb2c9865806", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9fcced42-d254-51f3-bfe5-bab106d8d5b4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143686Z", "creation_date": "2026-03-23T11:45:31.143688Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143694Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c4ee46b5a64e9b71632e6bccc028ae959718fe15625dd2dea6a51f7cc015e399", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9fdae2e8-aafb-5ecd-b928-1c6bb6ae6c3c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618426Z", "creation_date": "2026-03-23T11:45:29.618428Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618433Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fd94be9ac97f06abe64426933fbee02871d5d181b1d9025daf1aaa92d9342e90", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9fdcebfc-1fd6-5c4f-af1e-f995e4007826", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458964Z", "creation_date": "2026-03-23T11:45:30.458967Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458975Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47e35f474f259314c588af35e88561a015801b52db523eb75fc7eccff8b3be4d", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9fdecf22-f3bc-552e-a0a7-80456fd7a070", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481961Z", "creation_date": "2026-03-23T11:45:31.481965Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481975Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b1b9f1931bc06e8c1e960ba68e47793ba665ee7867fd506380284c56c82eb891", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9fe1f196-abaf-5987-9479-2cda5786f07b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604392Z", "creation_date": "2026-03-23T11:45:29.604394Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604399Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ad2df1ae0c1ffaa2492de91bbe24ff6bf2b2beb18a62366207dfb4257ed5c60", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "9fed866a-4ffd-5f83-9ef5-bd003504f9d7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836226Z", "creation_date": "2026-03-23T11:45:30.836228Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836234Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b42083b947b3470a55bb521a09099c25d87da901636ecd44db5772b8f9dcabd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a00fdff5-7af7-55d2-880c-c36ef64ce3b1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157475Z", "creation_date": "2026-03-23T11:45:31.157477Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157483Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "beb70f7809807d896af9f895e13f81619bef76ae1a365bd474a48c832845b291", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a014a0f7-396d-59e5-9ad3-214d83060ab1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828913Z", "creation_date": "2026-03-23T11:45:30.828915Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828920Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b9b66666884c70dbf81a6527ecabe874406c7000f799a1c40a12e879a88b3946", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a02aaf1d-192a-59ba-8f51-431a901e137e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499216Z", "creation_date": "2026-03-23T11:45:31.499219Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499227Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b81fd3758ff5699d0a19666084589e26c852c1b09cc5ad4d95738ed752696c71", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a02c8c9b-5d11-568c-ab26-3039aacfee33", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811169Z", "creation_date": "2026-03-23T11:45:31.811171Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811176Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cb1b4cda773e14f1cca653451fce84d908fdc22d1acddae42627b9711012ba90", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a03c4320-54e7-5edd-916d-7a44c8911a8b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150967Z", "creation_date": "2026-03-23T11:45:31.150969Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150974Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e74d2b56f8ea71f5ba816420cefd44a7f780bcc97a6e315226705edd107f69ef", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a0421c55-eb48-5989-b144-d84321c73057", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977495Z", "creation_date": "2026-03-23T11:45:29.977498Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977503Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "29a90ae1dcee66335ece4287a06482716530509912be863c85a2a03a6450a5b6", "comment": "Vulnerable Kernel Driver (aka CorsairLLAccess64.sys) [https://www.loldrivers.io/drivers/a9d9cbb7-b5f6-4e74-97a5-29993263280e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a043a402-37ff-5c76-9411-56fde8284dec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607543Z", "creation_date": "2026-03-23T11:45:29.607545Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607551Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c5d7069f85ec1d6f58147431f88c4d7c48df73baf94ffdefd664f2606baf09c", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a04b8903-c331-57ef-afb7-5957517ed6eb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610934Z", "creation_date": "2026-03-23T11:45:29.610936Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610948Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4b5aecfecf26145aadd23f96a1cdfae0bca4e53af215d4bd77bba5dcc5a4479b", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a04c6128-0e7c-5459-ba1e-4a51909d4304", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616739Z", "creation_date": "2026-03-23T11:45:29.616741Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616746Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8b4cbd2bc16071a1868597ec86857dba1140f981e3e943b0857341daffff4e69", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a057a680-14a8-5655-9041-638f08c63463", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831180Z", "creation_date": "2026-03-23T11:45:30.831182Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831188Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "14dd5543656d683dd6eaef643ac0e3b4e1eb1348db18d6109a6b1b75fe1dbc13", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a062e544-41ef-5a13-90ba-b767b319f5cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832334Z", "creation_date": "2026-03-23T11:45:30.832336Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832341Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1fb086cf89933281486efa575a9412e496c99dbe1106ea6c48b077be389f92e4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a06de8ad-5f20-5428-b205-e3f0e17f7b44", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143528Z", "creation_date": "2026-03-23T11:45:31.143530Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143535Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bc608516ecc4d8a265b066bd2f1a0178e4f2ab01dabec1e516b5840591c24965", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a07b3901-ca6b-53d1-afd4-65a39ecf83e6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970483Z", "creation_date": "2026-03-23T11:45:29.970487Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970495Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "627e13da6a45006fff4711b14754f9ccfac9a5854d275da798a22f3a68dd1eaa", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a0828a38-d583-599b-b9ac-3d5579cec9c4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616168Z", "creation_date": "2026-03-23T11:45:29.616170Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616175Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ad6360cee0b1b293be38348f0f9deb7221e205516524f437aaf8f468b308cb4e", "comment": "Phoenix Tech. vulnerable BIOS update tool (aka PhlashNT.sys and WinFlash64.sys) [https://www.loldrivers.io/drivers/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a0878cc9-d25b-5a4b-8104-7f8513246133", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824459Z", "creation_date": "2026-03-23T11:45:30.824463Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824472Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5ddd03e6455d92c7ef357f2834d70593ce65730306338a574416d9b439e2c3f0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a0950a8e-9b78-5b8b-9367-a9a8a8a86e4a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985850Z", "creation_date": "2026-03-23T11:45:29.985852Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985857Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "87565ff08a93a8ff41ea932bf55dec8e0c7e79aba036507ea45df9d81cb36105", "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a0a72fcb-873d-543f-ba98-7723f274ca7b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811746Z", "creation_date": "2026-03-23T11:45:31.811748Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811754Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "50f6c853251603e51534830d1d5faeb98ba638eafdb8d3cc4c49d56e28724325", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a0a81360-2cbb-5274-9d86-677ae3f95e89", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605448Z", "creation_date": "2026-03-23T11:45:29.605450Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605456Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d6827cd3a8f273a66ecc33bb915df6c7dea5cc1b8134b0c348303ef50db33476", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a0aa932b-78f9-580e-aa70-ca48c23f1b05", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609021Z", "creation_date": "2026-03-23T11:45:29.609023Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609029Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0ce40a2cdd3f45c7632b858e8089ddfdd12d9acb286f2015a4b1b0c0346a572c", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a0aec560-9bf9-5287-adb7-0319837d9216", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463069Z", "creation_date": "2026-03-23T11:45:30.463073Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463081Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "21617210249d2a35016e8ca6bd7a1edda25a12702a2294d56010ee8148637f5a", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a0b5f422-34a6-5344-b3d5-9fa1fd109a5d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483468Z", "creation_date": "2026-03-23T11:45:31.483472Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483481Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9866199215604d3739dd8e240b802424f9da097ead62d424c5af3cac21597ead", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a0be8b1b-7b35-5818-b139-3e6b94ca5dad", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608951Z", "creation_date": "2026-03-23T11:45:29.608953Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608958Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff6729518a380bf57f1bc6f1ec0aa7f3012e1618b8d9b0f31a61d299ee2b4339", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a0c0be80-3402-5d00-b21f-90a4b55ac2bc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825193Z", "creation_date": "2026-03-23T11:45:31.825196Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825204Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d66bc8d2614a775eabcf0a9c51bcde2f9037dafe20f0155eec87abecd8eeccab", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a0c66ed2-d510-57ed-8269-ab9fb2dd21ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489802Z", "creation_date": "2026-03-23T11:45:31.489805Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489813Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6278724ed1c5287475fbd8888527160af10c3d83b610f0b058c1701f5aeda069", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a0e315b9-561a-5e15-bf8a-dd97ac97a4e5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606759Z", "creation_date": "2026-03-23T11:45:29.606761Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606767Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2028156ea5a202f5fa9462646f3bffa0c01ac9c2e5cf6fa4df55bf38a47ac8da", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a0e47ec1-a3e1-554a-a440-e717cdcf2c51", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464815Z", "creation_date": "2026-03-23T11:45:30.464818Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464826Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c7bccc6f38403def4690e00a0b31eda05973d82be8953a3379e331658c51b231", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a0ead3fd-f628-5dce-9166-fbdc39f4e016", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975078Z", "creation_date": "2026-03-23T11:45:29.975080Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975085Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "77955af8a8bcea8998f4046c2f8534f6fb1959c71de049ca2f4298ba47d8f23a", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a0eea5ac-8281-5f75-9b04-fdf362b87d08", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155223Z", "creation_date": "2026-03-23T11:45:31.155225Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155231Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6c8f95af644c5377d68503cee0ac723150e22bfb5717921fe9998bc0fd6de479", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a0eec88d-5c71-5911-9518-68ccd55c3699", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827712Z", "creation_date": "2026-03-23T11:45:31.827714Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827720Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8e42b99a85e42eb6785ae7c45ab7f4104bc729498bb224124b3e45676ce2da08", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a0fcece0-44fb-58c4-add7-1d6a503cebc1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611659Z", "creation_date": "2026-03-23T11:45:29.611661Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611667Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "653601cf8c3c2c4b778f9025d4e964c887966cc3216bb35a73a3ae75477b4476", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a133284a-a291-5215-8df2-0a854e664a24", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969257Z", "creation_date": "2026-03-23T11:45:29.969259Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969264Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aaa3459bcac25423f78ed72dbae4d7ef19e7c5c65770cbe5210b14e33cd1816c", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a138f940-5851-5ac4-a789-44279cd09021", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143788Z", "creation_date": "2026-03-23T11:45:31.143790Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143798Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d3dff040ce865489dbbec07b54d52c282d4b1e7ec468d54e1c90d086a3522255", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a13b20e2-1009-53bb-8472-3f2d356e9867", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143060Z", "creation_date": "2026-03-23T11:45:31.143061Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143067Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd978d1bf595a536361017627a37929a7cea97b7ff0481526efa59f3cef6b479", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a141398c-4faa-50ca-8d4a-497300e18a03", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813863Z", "creation_date": "2026-03-23T11:45:31.813865Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813885Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1bb3e25e7a482bf47179ac18e747037f9515d058824f0c07fc323027d4d0bf13", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a145fc68-aead-5cec-8a4a-f170b5ec31e4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611308Z", "creation_date": "2026-03-23T11:45:29.611309Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611315Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b46fb3ed5a7a84ef594ab0b76f384aa2dca0614574478fb98308806612609465", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a14626ad-8043-5ff0-bd15-099db05a290d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159193Z", "creation_date": "2026-03-23T11:45:31.159195Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159201Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "426f0507ecdd90b1fd400d79c2fb0e2b62ae329647ab9511139a8b450da0c327", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a152c187-c038-54ab-bc80-cf0f8ffcb6cc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810182Z", "creation_date": "2026-03-23T11:45:31.810184Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810190Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18e64cc0071989c4052112a2566fe2a70daebec57de48c335357729afca7da72", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a15529a5-6d6a-53d7-aca9-57945c4cb1d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482370Z", "creation_date": "2026-03-23T11:45:31.482374Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482384Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "913fe318fb59a71cf9e5071009c9bc8db146b31da716980757e4744d48dc3f90", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a1630155-da2c-51cf-9fe0-02be02687a55", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828173Z", "creation_date": "2026-03-23T11:45:30.828175Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828180Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0e6d3b0e2bc567dc978a349e58c3dca212a75b09da7d944e5168b9de84ca883e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a169b8e4-42ac-563b-9e45-d94ee3cd6b70", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969612Z", "creation_date": "2026-03-23T11:45:29.969614Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969619Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "03a54ad77fc453c9889e170a811d232a305d46fb7f59582d3f1cb234598507a1", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a16cdef7-d758-5008-8506-3342d94bae27", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827840Z", "creation_date": "2026-03-23T11:45:31.827842Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827848Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4e290d8863ca733d2dce2716dd2527cc1fc2698a0c5e8defdb3ba9a320c3aaaa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a18ce454-f8c7-58ce-b538-44be0f92a0a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614506Z", "creation_date": "2026-03-23T11:45:29.614508Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614513Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "39cfde7d401efce4f550e0a9461f5fc4d71fa07235e1336e4f0b4882bd76550e", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a18f9c26-3ab9-5ac1-a49b-c5cc8c362d5d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617413Z", "creation_date": "2026-03-23T11:45:29.617415Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617421Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "83ffcfaf429c8368194d7b73f7729d97d6a3b80fb203d57055f3e4eec8228914", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a18fc74d-2660-5ff1-b3e7-d6363648cc6f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154350Z", "creation_date": "2026-03-23T11:45:31.154352Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154357Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cbac1a38b4e028dd833b9a1e1d7a829f3e4520846fd312ac8c3ef310c235d27f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a19ffef0-a445-5c7a-9db6-b1b4c7cdb375", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814886Z", "creation_date": "2026-03-23T11:45:31.814890Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814899Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "48f81bd54cc3e4d049f9a88d3952c6e7fba1097785001be9bc4e4aa581eb2479", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a1af1167-2942-56fd-97d4-f6c795e7615c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979794Z", "creation_date": "2026-03-23T11:45:29.979796Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979802Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "79278979d9300670d1084493bbc03ae374efc5ab02850941e85753885fa88e47", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a1b248aa-0d41-5619-a86a-7ab9478ab7b3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822544Z", "creation_date": "2026-03-23T11:45:31.822546Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822551Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e66650e0dcdee274e2b23263027ae9a0d6efaffb81fd7c51ab0f542175e49ed4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a1c4d6a8-3a25-52e9-b149-8352002efd1a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825476Z", "creation_date": "2026-03-23T11:45:31.825478Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825483Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6111959c7d497cdf76b482c20ba18c11ff075af083cd6143527e5ed5cc902c07", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a1d62b8b-e4ec-5085-8e0a-35fcfb725ffe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970964Z", "creation_date": "2026-03-23T11:45:29.970967Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970976Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d172d95afc72a8a4a6362175bd68b5f4405f166fff94464d845213af586fe8bd", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a1d76c4d-6f19-59c4-9dcf-ad77d2b00873", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980958Z", "creation_date": "2026-03-23T11:45:29.980960Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980965Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bceaf970b60b4457eca3c181f649a1c67f4602778171e53d9bdc9b97a09603ca", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a1e19de0-8952-508b-b869-67b8c9af3f82", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980785Z", "creation_date": "2026-03-23T11:45:29.980787Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980792Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9544fbc011638cbc168f6ea4740cc6ed6fd331769e191fd64bdf9113eb64fde1", "comment": "Vulnerable Kernel Driver (aka PanMonFltX64.sys) [https://www.loldrivers.io/drivers/40bfb01b-d251-4c2c-952e-052a89a76f5b/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a1e6553d-bd83-50d3-8003-124ab5210717", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465957Z", "creation_date": "2026-03-23T11:45:30.465960Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465969Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f3ec3f22639d45b3c865bb1ed7622db32e04e1dbc456298be02bf1f3875c3aac", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a1f74978-6ec7-5a57-b81f-3047f4d09245", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615895Z", "creation_date": "2026-03-23T11:45:29.615897Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615903Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f5e9fc579028d5cae916743528891aa39a4eecb3f573ea522eeb8da97f95953", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a21b981f-c3da-5b4a-a1d0-c11fc9a9c3ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974161Z", "creation_date": "2026-03-23T11:45:29.974163Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974168Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fda93c6e41212e86af07f57ca95db841161f00b08dae6304a51b467056e56280", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a21c0261-3771-5bdf-9fd0-fbd528436d99", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975446Z", "creation_date": "2026-03-23T11:45:29.975447Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975453Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "207b6cea0c9f7e94a912b388d5e9f7ace3b6405114f64bcc425042a09170fcac", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a22dd93f-87be-557e-a549-4feefefd7c0f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144393Z", "creation_date": "2026-03-23T11:45:31.144395Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144400Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c49fe7af43a777e3d1b7e883e7e65e860deb8e35f189b8352828e7ab455d4fee", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a237013c-9ab2-5934-b802-095b7fa58a61", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811044Z", "creation_date": "2026-03-23T11:45:31.811046Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811051Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e6c794dc342d12e520a6929450033914f16a982f0b1b786fac55ca1fb4232bc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a25244de-f2ae-50e3-ae3d-ba508e93ad34", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144253Z", "creation_date": "2026-03-23T11:45:31.144255Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144261Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "94a7a48ea51c0dbae5318bb697cda5ad00f20dbb7dfa6c0ea940e44d728c031c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a2560996-b8a4-55b5-8f05-cb363a67e8fb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810155Z", "creation_date": "2026-03-23T11:45:31.810158Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810167Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d1d75a1d68c7754a5c16cae617bd8e0a37823bb0c9e83e2f7a122a5392eedb46", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a25c5fdc-4449-5c42-8870-90d96cc4fae4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492161Z", "creation_date": "2026-03-23T11:45:31.492163Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492169Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4589bf3f26fbbcfede64f606b98d9159ce7dd462928ac1775c668a7a658cf14f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a26e5896-d10f-502b-9ecc-5febacf092db", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824312Z", "creation_date": "2026-03-23T11:45:30.824315Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824320Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1ac56a208b2f9eaa828d2351c5baf3b4cdb64092a026d7a5db4c78d40bb6ec04", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a2725a61-1891-595d-98e9-d0682faaa634", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828239Z", "creation_date": "2026-03-23T11:45:30.828241Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828247Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5a7f1e339882a1c486f42016dcf9de3c29dbd630e81e77194ddb3eebab2e94fc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a2751907-6cfd-57d8-98ed-3976250da994", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617748Z", "creation_date": "2026-03-23T11:45:29.617750Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617756Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d041654d8cbf189c29919733fd40184ceaf0050295fc7a7e6e3f4cda45b5e090", "comment": "Cheat Engine dangerous driver (aka dbk64.sys) [https://www.loldrivers.io/drivers/1524a54d-520d-4fa4-a7d5-aaaa066fbfc4/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a2899ca0-faaa-5f29-bd19-56420a9f2627", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141999Z", "creation_date": "2026-03-23T11:45:31.142001Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142007Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "20d5f791ebf599b5ff1fcfcd1858c775b76bea553bd3cabee6798564d23ffc3f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a28ae5f9-3ff0-5ebc-b85c-39fd751a6247", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470102Z", "creation_date": "2026-03-23T11:45:30.470105Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470115Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "938e65ff5760e44faf22a35242547c41a0d8d2b21a2f8a12f6b84d4055aad384", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a2a3c80a-510e-5aa4-a50d-a447ab23c102", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.815765Z", "creation_date": "2026-03-23T11:45:30.815768Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.815773Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b1920889466cd5054e3ab6433a618e76c6671c3e806af8b3084c77c0e7648cbe", "comment": "Vulnerable Kernel Driver (aka FPCIE2COM.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a2aaf45a-d91a-5b24-9ed1-78ba6346ad7d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491443Z", "creation_date": "2026-03-23T11:45:31.491447Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491455Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b63b01658504ef8de8de80ec30f9633837f646cadfbdce0612b6debbf4e8a54c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a2c5307f-1bc4-52d2-b9ae-e369849db198", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816981Z", "creation_date": "2026-03-23T11:45:30.816983Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816989Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "145b3490f5d3f45dc014d8c14112e9973796024ef1e896a10998f08bba45d8e5", "comment": "Vulnerable Kernel Driver (aka CP2X72C.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a2c86623-915d-5927-817a-e7a72481abe5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462736Z", "creation_date": "2026-03-23T11:45:30.462739Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462748Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "26ef7b27d1afb685e0c136205a92d29b1091e3dcf6b7b39a4ec03fbbdb57cb55", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a2d3c370-1fd5-54fa-b5c0-324d7d30bda9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143373Z", "creation_date": "2026-03-23T11:45:32.143375Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143381Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ccc65f108ad084af41725e42efc3c3c539f89a474c1b1293b111a83e3eba216a", "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a2dbeb41-b5cc-53ad-b21b-96fc832b6681", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817679Z", "creation_date": "2026-03-23T11:45:30.817681Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817686Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "be589c5c853c86703e23e3b77455bd0d4330bd5e612d0af538f98cc3c4cec1b4", "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a2fa4a70-de4e-5f44-9746-73ea5b695760", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464341Z", "creation_date": "2026-03-23T11:45:30.464344Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464352Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e8743094f002239a8a9d6d7852c7852e0bb63cd411b007bd8c194bcba159ef15", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a304ebc5-14cc-5e8d-b11b-98728178226e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968723Z", "creation_date": "2026-03-23T11:45:29.968725Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968730Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bf086b30d80ae4a4e1d6cafecf511622f077493d52c4d729ede5d4ca6b4be02e", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a31223eb-322e-5a2d-91ae-723f63d5942e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490454Z", "creation_date": "2026-03-23T11:45:31.490456Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490461Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b88c0b535bc65985dd945baaa524a400fc5a9366eafca8ac81adc5a070db975e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a31ef481-0fda-561d-8839-3d6143dd4216", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821708Z", "creation_date": "2026-03-23T11:45:31.821710Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821715Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dad6d1ef2fc1586320e76171fd16822be56b4eee1497e7c97e72ac4421065b27", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a32387ad-cc7e-5973-a3ce-0241204f2fe3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812222Z", "creation_date": "2026-03-23T11:45:31.812224Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812230Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "593ecfd5831961c85af43db78d2b89de0e8766627838b958528a3d745f4d47b0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a329ac31-42ac-58c1-bf6a-9c8e1dffc5d7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614736Z", "creation_date": "2026-03-23T11:45:29.614738Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614743Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "984a77e5424c6d099051441005f2938ae92b31b5ad8f6521c6b001932862add7", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a32b6724-55fd-5bd1-bea6-041d24a8916d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824563Z", "creation_date": "2026-03-23T11:45:31.824565Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824570Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7c1adf6d58c674a77eb875ccb7dc3290148a94609df0dedcb961c1f78ac5bbd0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a32b7f9a-fe93-550d-b41d-ed1b9be70f4f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832187Z", "creation_date": "2026-03-23T11:45:30.832189Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832194Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ce04a15e86044d60813727ddf54465b4a6509d356048ba5c99bd5131c03dd45", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a3353a34-6600-5f6f-a92e-a5a123f3dbb6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829505Z", "creation_date": "2026-03-23T11:45:31.829507Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829513Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd1ff111e962cd5ddb714bcf49348258ba83726e7c58779ac32ecfebc0377a65", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a342e108-037e-57a2-831b-989bf86ceffa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497984Z", "creation_date": "2026-03-23T11:45:31.497987Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497995Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "814edc8773210d0ee42edea1d31884a3595fd6a0c366fbe383e8b389658373b3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a34dcdbb-ff26-557a-917c-74411cd7e0eb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489306Z", "creation_date": "2026-03-23T11:45:31.489309Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489318Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0b254882e39d7888ae195eca0be81ea95ca6f21e522d2afeaf6be0426324055", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a360d8ef-67ec-59cb-b31a-2125779be047", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971506Z", "creation_date": "2026-03-23T11:45:29.971508Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971514Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ceb1bf90d8652dac481fba362e5c3a6548a116897e729733f2be27f4edc5fc1f", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a36693c2-9e06-5e6d-b242-e5805e264d99", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144090Z", "creation_date": "2026-03-23T11:45:31.144092Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144097Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "05c84614bb901b97087dd7d44c839e5dae95982eae8bd8b2e8f354aff8e4c551", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a367a6f5-fd09-5ec2-8f28-4d003d586ca1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829451Z", "creation_date": "2026-03-23T11:45:31.829453Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829459Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fec113f2164c7c0570b4e465488812beb4000e97d19844b87e4540f9c3c3dc43", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a36817f6-436b-545a-af02-57748ebdfa9a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819840Z", "creation_date": "2026-03-23T11:45:31.819843Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819851Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2224d56a26690856ecc3ee84eecd389a30e530863432d39303356a3e40557d9f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a36b6e88-d531-5679-b4cd-ddd7f351b827", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458051Z", "creation_date": "2026-03-23T11:45:30.458054Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458063Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ca34f945117ec853a713183fa4e8cf85ea0c2c49ca26e73d869fee021f7b491d", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a373e9a8-f486-5ace-ae42-58e91460c06e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474359Z", "creation_date": "2026-03-23T11:45:30.474362Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474371Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "330941d4b4c310814278afb3d07f7191470c7da06f694342797dc6a2eb37c5be", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a376fab5-1320-517a-b421-48fdf32344d3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142185Z", "creation_date": "2026-03-23T11:45:31.142187Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142192Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3be5749132be41e14fad0b9b0bbfbcaf2bcaff3aa1475ebb45195dce47c25506", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a378fa8e-d59e-5a75-adb4-e0579451cdb7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611411Z", "creation_date": "2026-03-23T11:45:29.611412Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611418Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5e9099b95b2074fecc6efa6d59552651b1e082aaa3612889f417064d378a797f", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a37ae96a-2f21-5b90-b5d0-df43e2fb5765", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813721Z", "creation_date": "2026-03-23T11:45:31.813723Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813729Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0de1e090b5ab2d423652760275bee65b5544a9261165dada553ef83f60f4a2f1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a37b5bb8-c511-53ff-82ec-64aa282c4459", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474895Z", "creation_date": "2026-03-23T11:45:30.474898Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474907Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "81017af32ebdaf0bc0878a8057bc6b8bd3848eb21aca324cd56b27faa1df7377", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a385a5d2-3ed7-5e12-8dab-dae3c1b1acb2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829358Z", "creation_date": "2026-03-23T11:45:30.829360Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829366Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bd83141ba59a56b674157ef969c9217c62ca3199f498cf4ea32e4010cceae49d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a38b8307-e518-5612-90e2-11824c13fdcc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456781Z", "creation_date": "2026-03-23T11:45:30.456784Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456794Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c2e1a3dd0dfb3477a3e855368b23d12b8818df8fa3bc3508abf069a0873d6bf8", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a390c2d9-5b85-58da-bbe5-f3319e88fd5b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818559Z", "creation_date": "2026-03-23T11:45:30.818561Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818567Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "748ccadb6bf6cdf4c5a5a1bb9950ee167d8b27c5817da71d38e2bc922ffce73d", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a392be01-da71-5d6d-b087-f3fadea0aa13", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484933Z", "creation_date": "2026-03-23T11:45:31.484937Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484956Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1416327acf720388fef7728b808a47db061d0bc98798aa3250ab8d724e2e493d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a395f25f-69e3-5eb4-b662-1a691a5365c9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617555Z", "creation_date": "2026-03-23T11:45:29.617557Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617563Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a29adcc53553499e1c72bfa6595c94284aeb1d68552f964d90d03fa304df4fbf", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a396a5e3-ab83-50ce-b84c-d1b4092ff7d7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471285Z", "creation_date": "2026-03-23T11:45:30.471290Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471300Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "83fbf5d46cff38dd1c0f83686708b3bd6a3a73fddd7a2da2b5a3acccd1d9359c", "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/fbdd993b-47b1-4448-8c41-24c310802398/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a39df2e5-f8fe-5c9b-a1a5-bc80d7be892b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824628Z", "creation_date": "2026-03-23T11:45:31.824630Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824636Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d1912df289ebcd827d07c50f690902ad0ab1ca0921ddd5da4f4fcee5034e7525", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a3a82e11-79ba-54ff-b68f-af7b78d771ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611028Z", "creation_date": "2026-03-23T11:45:29.611029Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611035Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "157ae92541eda2f5035435c63e1654adfa45c06e37b05cbb60d76a63daa93f04", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a3b59f21-2719-5110-bdf8-eedbb133c11b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812258Z", "creation_date": "2026-03-23T11:45:31.812260Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812265Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a52f4f77c3d124dfb614f83c44d722ae55c55a8bc9aa6e5e879101b456386923", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a3c22071-0b31-5780-bc24-6d65f04ceadc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818926Z", "creation_date": "2026-03-23T11:45:31.818930Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818938Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "253cb2f36969c990f0960c13135ab20b9e38011a5761cf1cfe1c3e99b9afce0f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a3c3ff84-a30c-5930-87b9-0d7384349373", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465113Z", "creation_date": "2026-03-23T11:45:30.465116Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465125Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "14b89298134696f2fd1b1df0961d36fa6354721ea92498a349dc421e79447925", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a3c5955e-e179-5c4e-8154-459f9612fd1b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614368Z", "creation_date": "2026-03-23T11:45:29.614370Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614375Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "101402d4f5d1ae413ded499c78a5fcbbc7e3bae9b000d64c1dd64e3c48c37558", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a3c8343d-9d1c-58b8-8fad-5b3fb38f63c1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983246Z", "creation_date": "2026-03-23T11:45:29.983248Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983254Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4720b202c4e6dd919222fe7b1f458705c0ed1ccc17ec4ba72a31eef8559b87c7", "comment": "Vulnerable Kernel Driver (aka DBUtilDrv2.sys) [https://www.loldrivers.io/drivers/bb808089-5857-4df2-8998-753a7106cb44/,https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a3db3417-859c-5393-bc64-db0774694921", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812490Z", "creation_date": "2026-03-23T11:45:31.812492Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812498Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2f66a9cc214782799be3bdb1014d1ec4dfb4b6ba8f209541c4e0764469b1e123", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a3dcb793-4f1a-5753-bc39-2de15ce8f40a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822683Z", "creation_date": "2026-03-23T11:45:31.822687Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822695Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "337ccdb7e3a677345eb209b58cfa8896aaf80b1171e615fc5673caff9756186d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a3e653c1-c9f6-5a4c-a3ee-2187375a2cf3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490981Z", "creation_date": "2026-03-23T11:45:31.490984Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490992Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d1a853f8a96a02d605cce4af31abb94ab234effda7a277958da4404c10e1be27", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a3e7125a-2506-5dbb-804a-d1f38d5feed7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476677Z", "creation_date": "2026-03-23T11:45:30.476680Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476690Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1aee4d8a00f126582c4488025c7451fdbb9d0becbbfd58a396a2ac52011fac14", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a3fcf42b-99e9-540c-95e6-c27eb037276f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464146Z", "creation_date": "2026-03-23T11:45:30.464150Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464158Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a42f4ae69b8755a957256b57eb3d319678eab81705f0ffea0d649ace7321108f", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a400a95d-6df1-5aec-96d2-f03bfa855104", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149826Z", "creation_date": "2026-03-23T11:45:31.149828Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149834Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d81e18a15f71397fb3ffba4f85d2b11f43a096c448544801ecc8c126cbda6e47", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a40c40a9-edea-543e-b6b7-095f63bc2241", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614300Z", "creation_date": "2026-03-23T11:45:29.614302Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614307Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9f3e67f9454cb009716b89c0a296dcde73aa29145b7dcf776b81605932785b91", "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a41768ec-7139-5541-8624-c2db288a7950", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821130Z", "creation_date": "2026-03-23T11:45:31.821133Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821141Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5abe2868d794a00debbeda3f6ac226ab8c5b8101fd27cd61e62d806e7810e511", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a42c9756-d8c7-5ab5-8bb6-f7693e2b16de", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470784Z", "creation_date": "2026-03-23T11:45:30.470788Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470797Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b29cf0840f2efe394091e07e6701c44916a9e3dafdef6952c1d28fbeb4649df3", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a4344b0b-c8b3-5981-9937-4a309c1e0e67", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828936Z", "creation_date": "2026-03-23T11:45:31.828938Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828944Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7fdfa7bec4063f465119df9587a268d1cca777b4c0e0d8e95d1189a3c7846d10", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a440620e-bd1b-5a1c-8a0b-d7b1ff49f043", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456103Z", "creation_date": "2026-03-23T11:45:30.456107Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456115Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a082cdb569b9f1f82252402fa05785fd409222912d5b9e5423299819e6f940ed", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a44e20d5-cdec-5e1b-862b-deaad3c9dfaa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821670Z", "creation_date": "2026-03-23T11:45:30.821673Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821682Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "61f3b1c026d203ce94fab514e3d15090222c0eedc2a768cc2d073ec658671874", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a44fa1f9-671c-5378-ba22-09922073b2e1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456595Z", "creation_date": "2026-03-23T11:45:30.456598Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456607Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "969f73a1da331e43777a3c1f08ec0734e7cf8c8136e5d469cbad8035fbfe3b47", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a4802692-f5a6-54b8-8da5-6132fb3f246c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622650Z", "creation_date": "2026-03-23T11:45:29.622652Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622658Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "83f7be0a13c1fccf024c31da5c68c0ea1decf4f48fc39d6e4fd324bbe789ae8a", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a4859bef-e5d8-5b43-938e-3a497e89f50a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973466Z", "creation_date": "2026-03-23T11:45:29.973468Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973474Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "12eda8b65ed8c1d80464a0c535ea099dffdb4981c134294cb0fa424efc85ee56", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a494d902-5e8c-5314-b400-2407d8cb0c45", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967362Z", "creation_date": "2026-03-23T11:45:29.967364Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967370Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6c856c3c315c0f213684045da3203692c07c3da5df755155fd8b128fb447c437", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a4968b88-9f68-5824-8cf3-da9c5c6d8de1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479757Z", "creation_date": "2026-03-23T11:45:30.479759Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479765Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2b188ae51ec3be082e4d08f7483777ec5e66d30e393a4e9b5b9dc9af93d1f09b", "comment": "Vulnerable Kernel Driver (aka capcom.sys) [https://www.loldrivers.io/drivers/b51c441a-12c7-407d-9517-559cc0030cf6/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a4991fdd-da7f-57a7-8587-6a117ad6ddfb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621669Z", "creation_date": "2026-03-23T11:45:29.621670Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621676Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1afa03118f87b62c59a97617e595ebb26dde8dbdd16ee47ef3ddd1097c30ef6a", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a4a39d73-91cb-5e25-b342-976c11e311b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143392Z", "creation_date": "2026-03-23T11:45:32.143395Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143400Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f190919f1668652249fa23d8c0455acbde9d344089fde96566239b1a18b91da2", "comment": "Vulnerable Kernel Driver (aka PDFWKRNL.sys) [https://www.loldrivers.io/drivers/fded7e63-0470-40fe-97ed-aa83fd027bad/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a4a92be6-a947-537e-87d0-df1ce5ca235d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828306Z", "creation_date": "2026-03-23T11:45:31.828309Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828318Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f1816b4e2ae32be1cbfae6b53a5aa7bab282edaf5c3fd46e463978bb8c432f29", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a4b75bd6-ba75-52ce-8038-96decadd39c4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614404Z", "creation_date": "2026-03-23T11:45:29.614406Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614411Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1ddfe4756f5db9fb319d6c6da9c41c588a729d9e7817190b027b38e9c076d219", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a4b8ab98-2efa-56a4-85cb-3f2daaebfae6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472694Z", "creation_date": "2026-03-23T11:45:30.472698Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472706Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8d6febd54ce0c98ea3653e582f7791061923a9a4842bd4a1326564204431ca9f", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a4bd89c0-e928-5b3d-ae5e-3b0c92f12db0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821244Z", "creation_date": "2026-03-23T11:45:30.821248Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821256Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47c490cc83a17ff36a1a92e08d63e76edffba49c9577865315a6c9be6ba80a7d", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a4c0f9b6-b140-5b80-a787-c011912f0856", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469398Z", "creation_date": "2026-03-23T11:45:30.469401Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469410Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "284bf9b08be5d4fd4b10fda6736cf490c66f9adace013c19be2e31cf74bfc5e9", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a4c3068d-65c9-5ae3-90da-20efe06e93b1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500388Z", "creation_date": "2026-03-23T11:45:31.500391Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500400Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2439616f5ab33d4a8b6d09e17295a10b61f50081be7c6ea958061f849283de38", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a4e09588-12f8-570f-9b86-59e51c8975ea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832097Z", "creation_date": "2026-03-23T11:45:30.832099Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832104Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9449b1ed5585f43c4a00d876ea076d86226a5496807ef4e75c4709e4ccfc3dfb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a4e4ab18-248f-5d94-becd-16aba6035928", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820425Z", "creation_date": "2026-03-23T11:45:30.820427Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820433Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8fe429c46fedbab8f06e5396056adabbb84a31efef7f9523eb745fc60144db65", "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a4e8f9d6-5335-5fb1-acaf-1ac39320553e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458693Z", "creation_date": "2026-03-23T11:45:30.458696Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458706Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cdcf71696db4031fe3e70969bbe6169744ff91eebb24d6ffb734f922a850183b", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a4fd2091-4588-5078-ba6b-24bcd7fe2221", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825768Z", "creation_date": "2026-03-23T11:45:31.825770Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825777Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c19b55ff88c487dd0cb2cd4087496f611c9df7287ecfeedd9137eef619725fdc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a508712e-8def-598e-8741-23b4ab40866b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614385Z", "creation_date": "2026-03-23T11:45:29.614387Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614392Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "131d5490ceb9a5b2324d8e927fea5becfc633015661de2f4c2f2375a3a3b64c6", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a516abbf-f5f0-5ffc-801e-02e92abac2ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824611Z", "creation_date": "2026-03-23T11:45:31.824613Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824618Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c6253fa6ad371e218a9c08c42781fe95ec32be8a176a6a7231c3a1b7cd2841f6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a5182727-1449-5a08-968a-d7bc504bce61", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142489Z", "creation_date": "2026-03-23T11:45:31.142491Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142496Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "43025fdd42bcc3f0dc50589aed1d8a0650515ea8150886487c7fb5b927d269cf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a51a536a-3475-5b37-bd5d-765ca11efa36", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497689Z", "creation_date": "2026-03-23T11:45:31.497692Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497697Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "23423b17aa2fed6d0c15a2def325c38c86403349d8ff0b539777c6bbcafcf865", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a5367ad2-b0ee-5497-8432-fe0190503a7f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819813Z", "creation_date": "2026-03-23T11:45:31.819816Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819825Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "63a0eb941b89c6b98885b3a2db9d6b21511c813fd065502f182e6b74d87f4b71", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a547d991-c8c7-5c7f-9c2d-b2a8d85a85d1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611445Z", "creation_date": "2026-03-23T11:45:29.611447Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611454Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8d3ed9427dcc4f79be3585d41ab9c0bb447d6a0258dd919c4d49e02dedbaa47b", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a5534782-f0a0-5abb-a532-8c58c055fcb6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829716Z", "creation_date": "2026-03-23T11:45:30.829718Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829724Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e6e9037c7882b36352b507a386a23c71e46a7d8bdec78b0c5cdd3a087b217501", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a5547094-c3f0-5c32-8fa1-dc27bea34e53", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823206Z", "creation_date": "2026-03-23T11:45:31.823209Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823218Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ba4ac170deb3dcd0ece289932d02c637d2e5e2d59dae5f08c9f115e7416b0905", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a583ef46-b68f-56b8-aa83-71efa6f02bfb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473031Z", "creation_date": "2026-03-23T11:45:31.473035Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473043Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6dfcd8e56c13bd0824c968f52d37f2d737ada3ddb158c8405202cb07e963eef5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a586ed20-1152-5cab-970f-9abca2b79dc5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972925Z", "creation_date": "2026-03-23T11:45:29.972927Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972933Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2fbbc276737047cb9b3ba5396756d28c1737342d89dce1b64c23a9c4513ae445", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a58dccbd-e6b7-5a59-8b24-056946e3691b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813169Z", "creation_date": "2026-03-23T11:45:31.813172Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813180Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7a651ebf69a83d8ef85cdbe17b5a0bee94d30d52646ad935ecc5241641d8af16", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a592fa98-89fe-5cca-9fe6-9c5fa046d225", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816524Z", "creation_date": "2026-03-23T11:45:31.816527Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816535Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b7bf9a7577b10d3a5fa76272aaf3514c70f7a1273b2e3380524138cea2b478fd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a59ad06d-30f1-5586-89ff-1978cac2644f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145844Z", "creation_date": "2026-03-23T11:45:32.145847Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145852Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b6cb163089f665c05d607a465f1b6272cdd5c949772ab9ce7227120cf61f971a", "comment": "Malicious Kernel Driver (aka avkiller.sys) [https://www.loldrivers.io/drivers/7a9d34e4-c660-4388-ab61-4fd6f6bf1ad4/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a59baf5f-a9d0-528c-a9fb-6251e3a3c8e5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487144Z", "creation_date": "2026-03-23T11:45:31.487146Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487152Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "465db36e6ebb2674c666028ae6a84d545c215c84db0934a830f152e84f147339", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a5a64c9d-9180-58eb-8a88-03903d4ed730", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609937Z", "creation_date": "2026-03-23T11:45:29.609939Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609951Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "92ca1aec3afc90b44861c2e0be084a3db38d22d52f35e1697643d6477151392f", "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a5a8e4af-2f4f-5999-b4cc-58e4cb54d464", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828955Z", "creation_date": "2026-03-23T11:45:30.828957Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828963Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "668fb6e2568126a60f21bbe063e35ef824fdbcd7551cd32076181cda71727909", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a5ab5005-0036-5709-8267-13807e73416f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812783Z", "creation_date": "2026-03-23T11:45:31.812787Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812796Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f5e68a95d3c4d654cb4a66067506baaf66470ecb425fbf137bfa4b765e79da6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a5b568ca-d0ba-51a2-bf9a-731d7f6d4fbe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481518Z", "creation_date": "2026-03-23T11:45:31.481522Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481532Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a200f489bb41c22e69eb1ef4fdedb0142aebad4b7be1c2f7bee9792fa7d217a5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a5cd8675-4a66-5df6-936d-6d86875bec1f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815327Z", "creation_date": "2026-03-23T11:45:31.815330Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815336Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e37f93ceffb27551bf7d0af47a1ac1f4f371c2491bfe7b9160d83ccbf7432f65", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a5d8bc37-9e2d-5c7a-8941-ea6d86fd4ce9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465793Z", "creation_date": "2026-03-23T11:45:30.465796Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465805Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eab9b5b7e5fab1c2d7d44cd28f13ae8bb083d9362d2b930d43354a3dfd38e05a", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a5defc21-5ca4-5d1b-ac53-04a75aa37e0b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611498Z", "creation_date": "2026-03-23T11:45:29.611500Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611505Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1a8a5aebf83d1fa6daf74e48fc600e22b8fdceafb5dd7c7e14db2aa2a28e8c24", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a5e6b5cd-c77b-5317-85fc-46cc8ad01f8b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822190Z", "creation_date": "2026-03-23T11:45:30.822192Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822198Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "91e5f702691772cd1291ffbd2b645f06fda3b7b2c31c04ca28a3f4d728875cc6", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a5ea2f7d-5bb2-557a-85ab-152c67b0097c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140113Z", "creation_date": "2026-03-23T11:45:31.140115Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140121Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ffb44c5c528aebbe6ba2c3512b7b38dbf87dcc0ffb061b242e497fa0a8b157e2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a5f57bc7-f9bb-5b55-baee-7a8521a85039", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810973Z", "creation_date": "2026-03-23T11:45:31.810975Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810980Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "07a4ae3cfafd52437c1c3080ab38139c4a194db4e67a31a9118d799f04e9d356", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a5fbcbf4-4648-5581-b1f7-d1b990b37ae6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973077Z", "creation_date": "2026-03-23T11:45:29.973079Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973085Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f85eb576acb5db0d2f48e5f09a7244165a876fa1ca8697ebb773e4d7071d4439", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a6074328-30a6-57d9-a7a4-a961ff0b47c1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500496Z", "creation_date": "2026-03-23T11:45:31.500499Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500507Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ed9948c70d70c1027251b6bd689d4145c6de042122348ebbecdf21bb6af6dbd4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a609325d-57d9-51cc-8fad-a5c70dca285a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979692Z", "creation_date": "2026-03-23T11:45:29.979694Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979699Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "223b320fb86cd4a1019ce31ac6901ce6bc41792810bd995db232dad790398852", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a614b181-20ff-5986-946e-992942f51cb7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156108Z", "creation_date": "2026-03-23T11:45:31.156110Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156116Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e5a56c97fe3b994d0c73c1551cfcabfbd2e4ee7ce3fda9bc4d76f18c49c57145", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a61ad8a9-664a-59ae-a1eb-e091f2275a2d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608814Z", "creation_date": "2026-03-23T11:45:29.608815Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608821Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7dcd81140dc57d1d412c39940643ea923a1925815097f83788d840c1a7b57d25", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a6274886-f7fb-54eb-b526-75efc4de47b2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160257Z", "creation_date": "2026-03-23T11:45:31.160259Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160264Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19df9b27dee18537afd1367f3c6eef1d230faa240b4855e856c37d3901a39aca", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a627b995-c62d-5876-9a7b-289c1940c199", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974281Z", "creation_date": "2026-03-23T11:45:29.974283Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974289Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd54115ef08b107691425e4c0bf94dc0ae7c522fba60a0ce3f574ebf4f5dbc5a", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a6374395-1056-51d6-933a-106cdaf69573", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160403Z", "creation_date": "2026-03-23T11:45:31.160405Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160411Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "02190b5e96bad0a78fe6bc6f13a942bde1a96536693b3cea40082c0f1cfa45eb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a6417a56-214e-538b-94b0-510530928d41", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615572Z", "creation_date": "2026-03-23T11:45:29.615574Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615579Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5dfb950d4771c35f4f82626b5d8859cce74bf03db67f2be3036631894a62eca8", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a642bf80-0921-55fe-807d-37394983ed61", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157222Z", "creation_date": "2026-03-23T11:45:31.157224Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157229Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "13be73dd4f1e2db2a4621119f30429438a2331c5c7e1a07bf6f98ba96c16e069", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a647ebb2-66d0-5b95-b5eb-1e687e406b51", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143961Z", "creation_date": "2026-03-23T11:45:32.143964Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143969Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "828c54cfecb2a08863319544ac716aee3898dfe78a87d7757a0e92f1b1f1daf1", "comment": "Vulnerable Kernel Driver (aka CSC.sys) [https://www.loldrivers.io/drivers/1c92e1bf-103b-4545-b242-e5a9858ec9c8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a64c1161-3379-5369-8f72-ebdcc4708aa7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491320Z", "creation_date": "2026-03-23T11:45:31.491323Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491330Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b625c7345f7a62e55948a916d0f6e6a9d8f836703a5d22f196b8b322e030596d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a658f3fe-1258-5534-bfd0-9cf13cfa6827", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812351Z", "creation_date": "2026-03-23T11:45:31.812354Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812364Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2a4339bc237e6e415e6a754864933793d9397a1cd968b569d49c96ca141f599a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a65cb1b7-cc50-5908-9688-4f6c902816e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827265Z", "creation_date": "2026-03-23T11:45:31.827269Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827277Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "58cb3c3716f8079ebed0ee562944bfde2d4aa80101f20fde64bf04359748da37", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a66a31b0-5be6-52de-ac8c-a35b0796bd25", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830320Z", "creation_date": "2026-03-23T11:45:31.830323Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830331Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8f71ef083ea97d9d6592f47a57c52cc6957ba2f356fa2b122a9539ddac4623f6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a67209af-ad96-505e-be74-afa40c793bea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500548Z", "creation_date": "2026-03-23T11:45:31.500552Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500560Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bb015d75e98e2633b848af2b60af346dcdc9c04f00826b231bfd8f6c1ed5a41b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a684e42b-479f-516c-86af-e32b3433738a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154111Z", "creation_date": "2026-03-23T11:45:31.154113Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154118Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "294ef849be00f2170346427b820cb55e31dd56c968123f56cd7c9dc7943de849", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a69c2f15-320a-5da4-b433-0919232f9f51", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813896Z", "creation_date": "2026-03-23T11:45:31.813898Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813903Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "032ae4119bbded768bf334d9148771b0fc07ae15bdc6e29999527895e7f63c4a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a6a9032e-4e8f-5e26-b152-167a54ad7a5c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825072Z", "creation_date": "2026-03-23T11:45:30.825076Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825085Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7da3710a0de72e7c493716a4a017703494dbb5f13799b53bf5c105850a840575", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a6b04357-8f15-5494-bf90-6b81d57d0ae3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464788Z", "creation_date": "2026-03-23T11:45:30.464791Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464799Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0aab2deae90717a8876d46d257401d265cf90a5db4c57706e4003c19eee33550", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a6b45b5c-1579-5fe1-97de-65978971e5ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492144Z", "creation_date": "2026-03-23T11:45:31.492146Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492151Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4d49194d09db9c501d3b6d4f0b3a4703dfcfbde65038cbdb3c389e980114f1e6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a6bd9a47-cf8c-5369-b562-5e9ac79a86f5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976245Z", "creation_date": "2026-03-23T11:45:29.976247Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976253Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "42b22faa489b5de936db33f12184f6233198bdf851a18264d31210207827ba25", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a6d1cf8b-e188-51fd-9bf6-a160e27bfd0e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469543Z", "creation_date": "2026-03-23T11:45:30.469546Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469555Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "14d8ec21cc6bad738a8eef146506d04c64282bce01d9659e7f4dcdbff95e4c34", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a6da58d9-8184-5224-8fe8-0f654e48124d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811645Z", "creation_date": "2026-03-23T11:45:31.811647Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811653Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a905284d68ba108446af0ea42c9a797dd8c2ba302b0ad89b2efc94a6b31029eb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a6e4547b-57ed-599e-bc88-ad766b5d8de9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827568Z", "creation_date": "2026-03-23T11:45:31.827570Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827576Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e71eb48affb34a84f6126ff828227a5e14d8cea137237b317c1f9069d7d4bb3d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a6e72e07-b5d2-58b5-bae0-515da98d8af5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480842Z", "creation_date": "2026-03-23T11:45:30.480846Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480854Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "797c1f883d90d25e7fd553624bb16bfd5db24c2658aa0c3c51c715d5833c10fd", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a6f9eb61-4d85-5d5b-8701-20dcc5defc3b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985961Z", "creation_date": "2026-03-23T11:45:29.985963Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985968Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7a84703552ae032a0d1699a081e422ed6c958bbe56d5b41839c8bfa6395bee1d", "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a7065736-c0bd-5429-b170-6c6c292bac30", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615099Z", "creation_date": "2026-03-23T11:45:29.615101Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615108Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18776682fcc0c6863147143759a8d4050a4115a8ede0136e49a7cf885c8a4805", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a709f252-8b8d-5957-87ae-683fb428ea13", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810291Z", "creation_date": "2026-03-23T11:45:31.810293Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810299Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7ae9ab9a8092590c8413d4cff96fb5e78a0e6070432f0c103adeb01f39bcd8ed", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a70d178e-add3-55ad-be4e-ac75e0d28a55", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461126Z", "creation_date": "2026-03-23T11:45:30.461129Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461138Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bbbeb5020b58e6942ec7dec0d1d518e95fc12ddae43f54ef0829d3393c6afd63", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a725f206-78df-5930-a437-624a4df1ffd8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826991Z", "creation_date": "2026-03-23T11:45:31.826993Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826999Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8b1af547bbae57877b477886dd5b9d8aacbf529cba83270abe16c93d05b823c9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a72d9bed-cf95-5fe0-9a47-97d9b9e094b4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146831Z", "creation_date": "2026-03-23T11:45:31.146833Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146838Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bd6fa2dbddc71b076b718f6d1eb834e6562921a28eab26d9e36f555170688b75", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a737f5d9-0dcc-5a27-bbcb-d9429ed52dfd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156500Z", "creation_date": "2026-03-23T11:45:31.156502Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156508Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ec80b7453e9df01c251dea86942376db15570f0de1219a6bd04a3162599a967e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a7603904-18f0-51b7-9867-642994aebdf1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824111Z", "creation_date": "2026-03-23T11:45:31.824114Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824122Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "69a48dd48d2e47a01261192b19aa99687d493e78357dac87830da7cc5f8df708", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a77296d0-3e6c-55b8-af7a-01e5fb885e37", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983334Z", "creation_date": "2026-03-23T11:45:29.983336Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983342Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2b60228db4f3092063e115537b5731ef3487ecf55c036e812605c5149071332c", "comment": "Vulnerable Kernel Driver (aka dcr.sys) [https://www.loldrivers.io/drivers/b1dd91b1-9ba3-4d68-a2d1-919039e18430/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a7742db5-a572-5441-8e43-f31456c7f420", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985557Z", "creation_date": "2026-03-23T11:45:29.985559Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985565Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cb25a5125fb353496b59b910263209f273f3552d", "comment": "Malicious BlackCat/ALPHV Ransomware Rootkit (aka fgme.sys, ktes.sys, kt2.sys and ktgn.sys) [https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html] [file SHA1]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a791ffd5-0b66-52ae-a465-090ac8ae6dd6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981384Z", "creation_date": "2026-03-23T11:45:29.981386Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981392Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d2e843d9729da9b19d6085edf69b90b057c890a74142f5202707057ee9c0b568", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a79b2915-b4fd-534d-868f-bb6a4b70f332", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457535Z", "creation_date": "2026-03-23T11:45:30.457539Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457547Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "442c18aeb09556bb779b21185c4f7e152b892410429c123c86fc209a802bff3c", "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a79e5c19-33bd-503c-b13c-b27330537098", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459489Z", "creation_date": "2026-03-23T11:45:30.459492Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459501Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "62b14bb308c99132d90646e85bc7d6eb593f38e225c8232f69f24b74a019c176", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a7a17348-530a-5900-aa8a-6e6992c2412a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146359Z", "creation_date": "2026-03-23T11:45:32.146361Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146367Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff5dbdcf6d7ae5d97b6f3ef412df0b977ba4a844c45b30ca78c0eeb2653d69a8", "comment": "Vulnerable Kernel Driver (aka wsftprm.sys) [https://www.loldrivers.io/drivers/30e8d598-2c60-49e4-953b-a6f620da1371/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a7a80b46-d090-5deb-948b-cf031254524b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144258Z", "creation_date": "2026-03-23T11:45:32.144261Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144267Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dee8dbe00a809e5ecdbea898393dd9ecd32fa0a0de80463cc2b903dcdec2cffe", "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a7b429bb-0cc9-5a12-b399-9a585519126c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483275Z", "creation_date": "2026-03-23T11:45:31.483279Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483289Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d408df99fafdede69913c4f2067042c6c8b735f32c7d344f3f3e1228ce950bad", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a7b52ca2-95e0-59de-8335-0e5790af6c35", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827143Z", "creation_date": "2026-03-23T11:45:30.827145Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827150Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "afd675062e521b9a03c4a9ba2007096355f38c6206f41861bd78e94e39b286cf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a7bbf863-9e00-50d9-8f83-058aa8a3f037", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472980Z", "creation_date": "2026-03-23T11:45:31.472983Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472991Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eae3d11d5523aa08c4c75585e30cb93a7ef78bdc11b6570045a957c601a8b680", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a7bfcd28-0943-5fd8-8a24-9b89516f0e4e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977207Z", "creation_date": "2026-03-23T11:45:29.977209Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977214Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d4e7335a177e47688d68ad89940c272f82728c882623f1630e7fd2e03e16f003", "comment": "ASUS vulnerable VGA Kernel Mode Driver (aka EIO.sys) [https://www.loldrivers.io/drivers/f654ad84-c61d-477c-a0b2-d153b927dfcc/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a7efc63e-5c7d-5535-923e-7cbb7ee6a290", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488890Z", "creation_date": "2026-03-23T11:45:31.488892Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488898Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cc9cb071af476c8e92b2e90c2bd8233d3c3254bc540ed9c275829ecc0a5e4849", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a7ff1038-d44d-5daa-a6ae-ad15a00446f7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616649Z", "creation_date": "2026-03-23T11:45:29.616652Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616658Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "36aafa127736c7226c50061ea065f71e14f64ec60321f705bc52686d24117e0d", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a8003130-e7ba-5d23-9a7c-755655482c58", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604187Z", "creation_date": "2026-03-23T11:45:29.604189Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604194Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fc7d726e0e803bb38c0f9e910d91970c3dd7444ace1c071381e2e06939616205", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a8018a8a-f1f4-592a-b20c-f91836c9ab99", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622456Z", "creation_date": "2026-03-23T11:45:29.622458Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622464Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "65025741ecd0ef516da01319b42c2d96e13cb8d78de53fb7e39cd53ea6d58c75", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a801c26e-8c79-5a67-bd06-0c92d14426eb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481262Z", "creation_date": "2026-03-23T11:45:31.481266Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481276Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f25ae02387ffdff6c0ee34448e1919ca9ba6558babcee6074f97d7f42ffbc4f3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a80bf6c4-a8be-55a3-a679-568cdb1be077", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829558Z", "creation_date": "2026-03-23T11:45:31.829560Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829565Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bc05218d56b9c39b3f953e9e602542767d5edff4add56599a8a6aa2539ed8306", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a81286ee-88a6-58da-8eca-93a90f7ff296", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454737Z", "creation_date": "2026-03-23T11:45:30.454740Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454749Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19dba69b48b085d9487cc23a4135f3ef4849c181965bffc55baed9fa6c205429", "comment": "Vulnerable Kernel Driver (aka xjokercontroller.sys) [https://www.loldrivers.io/drivers/b3fd8560-79d3-40b7-b05f-c78044176c8c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a81c472d-5c43-5026-9bf8-defb10384178", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607240Z", "creation_date": "2026-03-23T11:45:29.607242Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607248Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cdd2a4575a46bada4837a6153a79c14d60ee3129830717ef09e0e3efd9d00812", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a821a2ac-790c-5311-a695-8c978683d680", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816012Z", "creation_date": "2026-03-23T11:45:31.816015Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816023Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "813f09d9d8afd970a14e2482b7486606ac18456f89392ec054a482fb63d760c7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a821c0b5-62b8-5ca2-8dac-6092abfbac29", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475860Z", "creation_date": "2026-03-23T11:45:31.475864Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475892Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee69db23ee91aad6e57170e9ab94ba7501e3f671a099d757a0ddba01b2ccab4a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a822b18a-28ae-5ac3-ad76-430bd6340703", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149644Z", "creation_date": "2026-03-23T11:45:31.149647Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149655Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2f8d9a34ee4fb589f38265c1bf8b672f05c8266feed1b95cea2b2312a6a32c38", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a82ebafe-232c-597f-9da3-de2b0413a57f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808723Z", "creation_date": "2026-03-23T11:45:31.808725Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808731Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c01bd3d635e5886b1484504e3bde5d4aa667c256b88a0be258f9abb0611fa56", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a847147f-be03-57c2-800a-08dcd9349904", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488413Z", "creation_date": "2026-03-23T11:45:31.488415Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488421Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "01434817f4e9adf62573291ee5aa6dea65151cb79535a1c9957381f8c58c2b6c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a847b08f-bf26-519d-aa81-43526577e08d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819243Z", "creation_date": "2026-03-23T11:45:30.819245Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819250Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6f3a182bbeba28dd15e1ad52041b8b32670651686697224cad821a334a8600da", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a8499f85-0830-5c39-88f2-c05eff9b4a17", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609003Z", "creation_date": "2026-03-23T11:45:29.609005Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609011Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "092d04284fdeb6762e65e6ac5b813920d6c69a5e99d110769c5c1a78e11c5ba0", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a849d96d-9bf2-5625-9fea-185ca88de0c3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471598Z", "creation_date": "2026-03-23T11:45:30.471601Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471610Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "20e52e0d7f579dc6884cc6e80266fddceda69ea5fdd0b095c0874b0d877e48a2", "comment": "Vulnerable Kernel Driver (aka AsIO.sys) [https://www.loldrivers.io/drivers/bd7e78db-6fd0-4694-ac38-dbf5480b60b9/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a8539e0a-5543-5a4f-9c57-9dc6c9b9289b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968845Z", "creation_date": "2026-03-23T11:45:29.968846Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968852Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1023dcd4c80db19e9f82f95b1c5e1ddb60db7ac034848dd5cc1c78104a6350f4", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a858dafa-b597-5722-aeef-08c21cb3b0c3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808049Z", "creation_date": "2026-03-23T11:45:31.808051Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808060Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "68d1635780247024a4475579000212aacc64e81ed59b745cefa749df82df6a7d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a85fa80b-4f78-5ed4-be65-8226bf7b84d8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142970Z", "creation_date": "2026-03-23T11:45:31.142971Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142977Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "99576f526ca1a82531030da2946513cba2b396310e31d4c7835725e7298ebe39", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a863fde7-b926-50a0-a120-eba8ef97a7aa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155924Z", "creation_date": "2026-03-23T11:45:31.155926Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155932Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "650f32fd7b1f4af7523464937377aeaed41d72b1e6954e0036cd347d5eb8f792", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a86ccc16-085a-5dd0-9273-b94db89c65db", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455610Z", "creation_date": "2026-03-23T11:45:30.455613Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455622Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7702f240800528d8186e3e6a26e2680486fed65a6fb5a2a000ad12c1fb61a398", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a871665d-51ce-5073-980b-b215a3c5f70c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985685Z", "creation_date": "2026-03-23T11:45:29.985687Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985692Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d0d8dcc01aba3ac08084ad40df3c64e7dfdd26ad403b08e610b96e2fcaf8a713", "comment": "Malicious Kernel Driver related to WINTAPIX (aka WinTapix.sys and SRVNET2.SYS) [https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a87200fe-24cf-5474-9704-49f4e0480421", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972371Z", "creation_date": "2026-03-23T11:45:29.972373Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972378Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "727666434d5ea292a7631d0944edd36097db12862730996ce8a3f052be04a2cd", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a87e18e6-2986-5f6f-85bc-438b74234674", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982271Z", "creation_date": "2026-03-23T11:45:29.982273Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982279Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4cff6e53430b81ecc4fae453e59a0353bcfe73dd5780abfc35f299c16a97998e", "comment": "Vulnerable Kernel Driver (aka t3.sys) [https://www.loldrivers.io/drivers/31a962ce-43ef-410f-873a-7ccc8f00332b/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a8842d7a-3156-5926-a1e0-bf806cdebf15", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145729Z", "creation_date": "2026-03-23T11:45:31.145731Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145737Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dc5205f4653d4f1f26dd23d00f83746c5e5fae208a55851add88ee2ef4352f9d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a89cdefa-b7b4-5273-92fe-0e00c746b8bd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493006Z", "creation_date": "2026-03-23T11:45:31.493009Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493018Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "421383a2fe20328af88ab454b863484805640dd5902e6c5f07e6bf3f9cbb9f5a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a8bc7cb5-4a83-5e4c-a37c-cd93c0d097fa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472496Z", "creation_date": "2026-03-23T11:45:31.472499Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472508Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7939d3cac950f51ebcf360eb14283705da2083114170d1a179deb7b13a3afc9b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a8c63869-3265-5ff3-85be-b738e4b5b2ac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975895Z", "creation_date": "2026-03-23T11:45:29.975897Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975903Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "42f0b036687cbd7717c9efed6991c00d4e3e7b032dc965a2556c02177dfdad0f", "comment": "Gigabyte vulnerable driver (aka GVCIDrv64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a8d6e31c-2f47-5fdb-a6a2-279d836ebb0a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822055Z", "creation_date": "2026-03-23T11:45:31.822057Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822062Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "82332e1e23c95106444745ac4975655c2fb43dd2581cb5a0a7c403d242620aae", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a8f40473-7bca-5b34-959a-959ce87f18c5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819001Z", "creation_date": "2026-03-23T11:45:30.819003Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819008Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b63080bead00cae92efb917b7a707c6a2d6628a1e90301795617b45273f45e4", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a8f8e945-9959-55b2-809d-a5336b7acd2c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155540Z", "creation_date": "2026-03-23T11:45:31.155542Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155548Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a4255097a76fd5653a0812c19698bc5d6807c9bf82447372d50bda5aa337b87d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a8f955ec-7fd2-5ccf-b844-cfa509e9f632", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811309Z", "creation_date": "2026-03-23T11:45:31.811312Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811317Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "882c8e61c7f61166fedde3dfa41c5231493eb2c7d3f3a068d45c77099841705f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a91c0766-1f22-5a44-955f-63c360b0c1f4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477987Z", "creation_date": "2026-03-23T11:45:30.477990Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477999Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b7614d88ed04e2d3bf0798380e04b90e04d87a785fbd99f994206da8d9658fe5", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a91e53bc-0e7d-534c-841d-b14898b9a87c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147535Z", "creation_date": "2026-03-23T11:45:31.147537Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147543Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "33c33ebb9a0fe4b3a808564f581e4151185e9240b46193b71bf0ad9636820b6b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a921cd92-6242-57bf-a88d-fbe618aa4fd9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480654Z", "creation_date": "2026-03-23T11:45:31.480658Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480668Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "903cf9cdd5b50d6ddc1c781daab91f3b7f22bf373ce80dd4d2e7fb75c6421135", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a92544e1-5238-5a87-9328-bde059a00338", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488811Z", "creation_date": "2026-03-23T11:45:31.488813Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488818Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "22d60ad34fc8e926e334e4be48c63926a0ccd5e2ae63df76cc4d66bc09040b3b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a92fa5ad-4152-5bd1-8acc-827488fb2211", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608865Z", "creation_date": "2026-03-23T11:45:29.608867Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608882Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6ab14c5c89759695dbb4b310b7cad68d9ec2007277e3b4f3abb883bd05ef557c", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a9358759-9878-5228-921a-c66f1c84e1dc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146636Z", "creation_date": "2026-03-23T11:45:31.146639Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146644Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b718a3c789cba79f67320edb91dc04d297ffeabdf81fc462ba8507254003c69c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a93e66d5-2d06-5084-a4af-1bb092d2ee3a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618984Z", "creation_date": "2026-03-23T11:45:29.618985Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618991Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e52bb23d6e4572fda5318addb4dad602629c8f254b8e6c4baf4033dddf13d660", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a93f2d22-5176-5690-ba76-d273e43544c7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832370Z", "creation_date": "2026-03-23T11:45:30.832372Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832377Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7cfaf896771945c790bed21d17cb91891263412a96d191d020ce12e1a85319c9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a94304b5-724c-57e0-b43c-2b02753f4e6b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482315Z", "creation_date": "2026-03-23T11:45:31.482342Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482351Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c63f144892f434182835baceaa8f24a13710b68b0bfee977a7faa9510f9a322f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a9479d8c-5923-5430-ac76-03540b10726f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147331Z", "creation_date": "2026-03-23T11:45:31.147333Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147339Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "71a0e584e9bc1e4c2bc4ac4b158b9a376938ff83d8083f957435ee115ca5cb02", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a94ab1ce-622f-5329-8f98-ef7f970daad1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814915Z", "creation_date": "2026-03-23T11:45:31.814918Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814927Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b304dc8d6a996218f4ccdb6e554aa2af7b0aadf5c1313e3c5dc0b621b7adf43a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a94ceae0-6a78-58cd-afa6-e163bec8a068", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808020Z", "creation_date": "2026-03-23T11:45:31.808023Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808032Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b4ca02a619b738037fff6a64cc299ca7568ac3af82d97b599e08f89988f4f2ca", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a9513968-7fb2-5cad-824d-bdf1ff9195c4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144964Z", "creation_date": "2026-03-23T11:45:31.144966Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144971Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d71593b9dfebaf98bed630fd89f57ee5649bc1e1cb339e6b6ed4187163adead2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a9598a09-2caf-5f1b-b1ac-7ef16c3aef5e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489899Z", "creation_date": "2026-03-23T11:45:31.489903Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489912Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "48b13939682024b6545c0aaefc90e572165a3d2cc595aa91a3f4d113182e4c86", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a961da03-0fae-564c-88e4-279e1735934f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145000Z", "creation_date": "2026-03-23T11:45:31.145002Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145008Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5e8a5adfd141736db5c947223a1af06dd03f70042abcaa752b17ccdaa4d9875c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a961f377-057a-5de7-8c91-e51869e4a61c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149057Z", "creation_date": "2026-03-23T11:45:31.149059Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149064Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "17cc31dcac3a7e10a0f15b71ab36ed6b8c5fae610f2c83e16b93eba184479eb7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a989bb3d-7634-5588-9310-21cfc24a46f2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154466Z", "creation_date": "2026-03-23T11:45:31.154468Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154473Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1851a1ba633ec04fed253c346f4e0e7530fcf8256e0c385f3c63e0b868d5e662", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a98d4993-24ff-54f7-925f-3bcac49eb1d9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144559Z", "creation_date": "2026-03-23T11:45:32.144561Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144567Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "312c83a99928c30c1fc55a0a1e7571a63b0e04391abe3392115bb3b7e3f60f47", "comment": "Malicious Kernel Driver (aka driver_312c83a9.sys) [https://www.loldrivers.io/drivers/495f0f36-c5e0-467d-8115-b5bdbe7ff686/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a98ff7cc-2848-53ef-a38a-618805b4667a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814467Z", "creation_date": "2026-03-23T11:45:31.814470Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814478Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "afdc52dfd0928505e0246158978dff460e0697cc2b387c5bb52b0fe328a1d170", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a9937cb7-ca64-5f66-a804-94bd07670358", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826843Z", "creation_date": "2026-03-23T11:45:30.826846Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826854Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8d3c53ae698e17f331383a93990e2468c1bfd6a36a4830ffa9582ceb60d824dd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a9a94c6b-ee1b-5f9f-bf37-ea258378241f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826169Z", "creation_date": "2026-03-23T11:45:30.826171Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826177Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7ae74282bb4343f3e9c15462b67afff3f737de22f8d238751aff767c5d750959", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a9aac860-6f84-56b0-a872-d906d159fa3b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481043Z", "creation_date": "2026-03-23T11:45:30.481045Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481050Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2695390a8a7448390fe383beb1eee06d582202683f0273d6e72ef39a8cf709e1", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a9b60390-67d3-5be2-814a-16376b529e3b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982086Z", "creation_date": "2026-03-23T11:45:29.982088Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982094Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2bf29a2df52110ed463d51376562afceac0e80fbb1033284cf50edd86c406b14", "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/b03798af-d25a-400b-9236-4643a802846f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a9e1278d-db32-5f25-8987-ebad5525027b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836577Z", "creation_date": "2026-03-23T11:45:30.836579Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836584Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eafc2ce205bbdd326250823d82060acc957a1bc13b7af76939409db6e43210c5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a9e31460-4b9b-5f36-b53c-33467990d52d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152134Z", "creation_date": "2026-03-23T11:45:31.152137Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152145Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ac1a83279e35ee1e9537886adc1c5b5b3d4976a80ed52febf6ca416a5dde6055", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a9e6cf8a-3898-552f-ab94-a0da0ba58c15", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147112Z", "creation_date": "2026-03-23T11:45:31.147114Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147119Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ec6bd4ea58f2a1eb2aa827f40c145c0271a36a7400309b83ce7598d4a0dd765", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a9f22e57-d81d-59d6-8fc9-e7440cbab55c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455361Z", "creation_date": "2026-03-23T11:45:30.455364Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455373Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "62a17c9ec21461badecd1c25744a42bf5c9c0ed39b979fb07ca817f30c862a35", "comment": "Vulnerable Kernel Driver (aka VBoxUSB.Sys) [https://www.loldrivers.io/drivers/70fa8606-c147-4c40-8b7a-980290075327/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "a9fd75bf-b113-5e5e-b35c-5f66f7e2c301", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831200Z", "creation_date": "2026-03-23T11:45:30.831202Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831208Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f523e46679c9b40f5bf4831e3cb60d90bd27b1acd3b4b7a12e1fc9ae06fdb5ed", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aa077870-661f-577c-b335-fcf15ece173c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973793Z", "creation_date": "2026-03-23T11:45:29.973795Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973800Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "80a59ca71fc20961ccafc0686051e86ae4afbbd4578cb26ad4570b9207651085", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aa0b4dbb-d53c-56c0-92e9-d7eb56fc4092", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823070Z", "creation_date": "2026-03-23T11:45:30.823072Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823078Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "039f442ffbda7decaaf1e367db6fc6f28cc73d549527ef5bedf2be8badedbfd7", "comment": "Vulnerable Kernel Driver (aka FH-EtherCAT_DIO.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aa10c950-dc1e-5287-8cc5-417bbb892544", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981926Z", "creation_date": "2026-03-23T11:45:29.981929Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981934Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f05f74ebae7e65d389703d423445ffb269e657d8278b0523417e1f72b0228eb", "comment": "Vulnerable Kernel Driver (aka TGSafe.sys) [https://www.loldrivers.io/drivers/ad693146-4adf-4407-bb20-f2505e34c226/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aa11682b-5e88-56a8-8d73-94eb6b434619", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470162Z", "creation_date": "2026-03-23T11:45:30.470165Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470174Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea318c5300b57b35e07b4c16453a660cd5ce059cdb6578d3057e848e14d68eac", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aa12f38e-232c-5b95-abbd-37d419dcab44", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493400Z", "creation_date": "2026-03-23T11:45:31.493402Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493408Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d7198c9e16ef10a701abbae9422755d904e730893724988b3f63226ad499de02", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aa3bb407-fea5-5f50-8ed7-027961654c59", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821890Z", "creation_date": "2026-03-23T11:45:31.821892Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821898Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2a87f78a357f9eccc2aa6a04ff5b70d6044d3c6b0ba436d0c4199f3e57272c32", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aa3eb61c-c864-5911-b77b-3645b42e5207", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815850Z", "creation_date": "2026-03-23T11:45:31.815852Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815857Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6e4cf5d2df79e2f561c228b3cbbdb6e1c5b0eff9e62144b4a97d5d128669de80", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aa42c9d7-a497-5ac7-8478-e0e5a2057f15", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146818Z", "creation_date": "2026-03-23T11:45:32.146821Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146826Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3e7c62daf3da6ea70530adc9a65bd97dcdb4afe0b82e7622f6d965bdaa99025b", "comment": "Vulnerable Kernel Driver (aka CSAgent.sys) [https://www.loldrivers.io/drivers/9974b134-7fee-4c7a-9b0d-38b3b2d7e957/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aa48bdd3-1493-52b5-9721-fd29a6097523", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475666Z", "creation_date": "2026-03-23T11:45:31.475670Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475680Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "433fc3f44a990949b876015da853a4ff4e7a7c6d0a62eeadf795489b4e15843b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aa5714ae-a23b-5f7e-8b6b-279b465d2315", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818486Z", "creation_date": "2026-03-23T11:45:30.818488Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818494Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e8b51ab681714e491ab1a59a7c9419db39db04b0dd7be11293f3a0951afe740e", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aa6058e1-bd62-5153-b892-73498bae1706", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.478272Z", "creation_date": "2026-03-23T11:45:31.478287Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.478319Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "38e52e61ea71ac13f8f12e6aef2ac4d9e580e1d8b25dbb405e005599a4a4b13d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aa611048-97d3-50f9-98ba-18930e5a85ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494565Z", "creation_date": "2026-03-23T11:45:31.494567Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494572Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "06f34294ae1fa7ee0e3c46af301a7c486f08377ce0621c078382f7beed5a66d3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aa6a9347-b685-5cb6-86db-fa8bdddc8064", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967290Z", "creation_date": "2026-03-23T11:45:29.967293Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967301Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "04e88b7717aadc6b56dfa006b9414fc2c899c398d7e003627770e07fed52edfd", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aa6b6a9e-6c24-5324-bcdc-127b37318ad0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474923Z", "creation_date": "2026-03-23T11:45:30.474926Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474935Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d6d5d997bbb55b2328c6486595f6f3070a0d03b4dd7c1d2ec1510f43e61b9bcd", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aa86f42d-4c8b-58d6-b70d-b893186e4c2d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154264Z", "creation_date": "2026-03-23T11:45:31.154266Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154272Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "605165377339773fb440d0923fbdc1b12569de46e52b10496bd0fe72774001c2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aaa6d240-abec-5f9b-ae9b-9520f10e9d08", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825486Z", "creation_date": "2026-03-23T11:45:30.825488Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825494Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "76d9641d60b8addda570a0f669b521afcc8552c5bbae08f10997cb512e226172", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aaab8eae-21dc-5991-9052-be5c46e7ab59", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620141Z", "creation_date": "2026-03-23T11:45:29.620143Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620149Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b97f870c501714fa453cf18ae8a30c87d08ff1e6d784afdbb0121aea3da2dc28", "comment": "Intel vulnerable drivers (aka semav6msr.sys and piddrv64.sys) [https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aab1141e-826a-5bd2-b087-723314de727f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829014Z", "creation_date": "2026-03-23T11:45:31.829017Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829025Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "13f91297fe2a1a582483c186dbc70d7dbaa53802d639584c1f809eb73dfa3604", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aad3455c-7963-5cfd-8697-e88d53045f61", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807408Z", "creation_date": "2026-03-23T11:45:31.807410Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807416Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b59418c8276ece28f801fd2566c230cd66a2ab5b7b200de4743e495f5a772b34", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aad96b9f-4f01-58f9-91c9-037335bbd4c1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149451Z", "creation_date": "2026-03-23T11:45:31.149454Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149463Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ad5ddf3ea6ccdd15e056c8f0a6cbda25c68db0780307a7f35aaf19a7a11b4b2d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aadb2840-b4b9-5438-ba43-e17b115231a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815916Z", "creation_date": "2026-03-23T11:45:31.815918Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815923Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "accff182f5536f07e09f5b618bd22b0fa5c91f7a29e248dca0a910272d2fe26e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aaddc46a-5ded-544c-adae-a45e0d9d0c7a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608172Z", "creation_date": "2026-03-23T11:45:29.608174Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608179Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "353aad3d49624aa250019ca2ced8983c7726f500f89165342683555a7ccfda42", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aae9c26a-ee13-5a58-9f3d-87b3df71199a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979499Z", "creation_date": "2026-03-23T11:45:29.979501Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979506Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aaf4d2ab-42b1-56c4-b7e5-53fcb455480a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490191Z", "creation_date": "2026-03-23T11:45:31.490193Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490198Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b717e36d39419311eb5046d6239adf4d4bb3d940a80b977456f05ea63a6fe46b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aafe6b63-a23a-53dc-8fc0-97ef6a80f6ad", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141629Z", "creation_date": "2026-03-23T11:45:31.141631Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141636Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fd5eff8c4331b7fa1f066deb4524af3681539544327bd1134f06697943f8d379", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aafff0d5-e908-5e7f-8f58-07ad62346a90", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145038Z", "creation_date": "2026-03-23T11:45:32.145040Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145045Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bc2606740e4648c3732541db929f2e02ea8567520d35de57c671e93c71e632f3", "comment": "Vulnerable Kernel Driver (aka dellinstrumentation.sys) [https://www.loldrivers.io/drivers/86b9c8d6-9c59-4fd4-befd-ab9a36a19e36/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ab16375b-b57a-5c79-826c-a211bbf8acf8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978843Z", "creation_date": "2026-03-23T11:45:29.978845Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978850Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "641490e28b2a1ee223238f5d969b5abf60a1089afe597c4251b285449e6b3b04", "comment": "Vulnerable Kernel Driver (aka speedfan.sys) [https://www.loldrivers.io/drivers/137daca4-0d7b-48aa-8574-f7eb6ad02526/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ab1ca660-74ba-55e9-b571-a1cc9450dbc2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471018Z", "creation_date": "2026-03-23T11:45:30.471022Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471031Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b9914ac1acbdc493d78c289bd185c301498c312602cabfcae8aa86cecb9fd14c", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ab20824e-23cf-5d11-bd45-4883a7474d70", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819676Z", "creation_date": "2026-03-23T11:45:31.819680Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819689Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7506436dac00fddc3c1a39cc9ccd2030aec68d32434470397d7bd10fc12e091f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ab2d6424-d24f-5435-a2e9-96ec1b0f619b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610066Z", "creation_date": "2026-03-23T11:45:29.610068Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610073Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e16a01ef44e4c56e87abfbe03b2989b0391b172c3ec162783ad640be65ab961", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ab323f2d-36fb-5ab4-abb1-9dc42bb78b8f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485288Z", "creation_date": "2026-03-23T11:45:31.485292Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485302Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ac3a4d715589062cac8369ce06f5be060a6bc2fe5d960c8e52bfc755a64792b9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ab339e5d-1d36-5830-bc6f-7f19205cf25c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822209Z", "creation_date": "2026-03-23T11:45:30.822211Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822217Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bcf3c0762d6600506ff3b2f13ac6d978041b0b50131b3a564a558611dd3b96df", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ab3b1d48-00a7-5317-9a79-eedba87a0815", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823106Z", "creation_date": "2026-03-23T11:45:30.823108Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823113Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0b57569aaa0f4789d9642dd2189b0a82466b80ad32ff35f88127210ed105fe57", "comment": "Vulnerable Kernel Driver (aka atlAccess.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ab49e97c-313e-59e1-ae4a-bea5d7b46d6d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148312Z", "creation_date": "2026-03-23T11:45:31.148314Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148319Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "33d1b153cc8f762d850b83d94325a829e0e00aef12b8c64e2543bbd774daebe2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ab577ce4-9242-5972-97e7-9f2263b95466", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820515Z", "creation_date": "2026-03-23T11:45:31.820517Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820525Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5a3d1c4bd7153c6f49c0ea0f3db72126dfa4fa9235d783bb5e8ce9de1d4e78bd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ab6b172e-5c69-5cc6-904b-af7e87f74a99", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824221Z", "creation_date": "2026-03-23T11:45:30.824224Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824229Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f56a17f13eaa76384ebb5586f5e63b24729f90888fd5be9c9ee3a39690f428b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ab70ba02-f666-591a-939b-345777165767", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977694Z", "creation_date": "2026-03-23T11:45:29.977696Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977702Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9345c3af554c06aa949492f1642a7a03404956d2952cca8a68658b62dccb0825", "comment": "Malicious Kernel Driver (aka ndislan.sys) [https://www.loldrivers.io/drivers/ca1e8664-841f-4e4b-9e67-3f515cc249c6/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ab84e72a-9bec-52d3-8783-abcb2b7aed57", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621479Z", "creation_date": "2026-03-23T11:45:29.621481Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621486Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ce231637422709d927fb6fa0c4f2215b9c0e3ebbd951fb2fa97b8e64da479b96", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ab85c293-15d1-53a7-a935-d7957892279a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819830Z", "creation_date": "2026-03-23T11:45:30.819832Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819837Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "642857fc8d737e92db8771e46e8638a37d9743928c959ed056c15427c6197a54", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ab8dcca1-cc32-50bd-a233-0094b7e0ceec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608245Z", "creation_date": "2026-03-23T11:45:29.608247Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608252Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "90c9e8bed1aeb314636a7bc86e26e484eade53c744d2e8a7a316459709760a5e", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ab90e8aa-4d3e-5b98-8137-653a0784e2bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455891Z", "creation_date": "2026-03-23T11:45:30.455895Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455904Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3bf77c52cc0e6b1b0f2b8ceffaadb156673768146950401c27fbfd7e2bedd618", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ab942bca-b90e-53f7-8b3b-1e4a55ef62a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476174Z", "creation_date": "2026-03-23T11:45:30.476177Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476186Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d04c72fd31e7d36b101ad30e119e14f6df9cbc7a761526da9b77f9e0b9888bc4", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ab94ee49-57bf-59a7-943d-e69b5a5b8aca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147394Z", "creation_date": "2026-03-23T11:45:31.147396Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147402Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "add4f9ca3e0cb3a429dc5b5c1b0e035483aa73a8b4343933da3d6fccbe26cf13", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ab9b3a91-da92-5ed7-b23f-da4c8f00dde3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464626Z", "creation_date": "2026-03-23T11:45:30.464629Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464638Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "64d4370843a07e25d4ceb68816015efcaeca9429bb5bb692a88e615b48c7da96", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "abaac0c3-c86f-5cee-b18a-7511f5021c99", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980976Z", "creation_date": "2026-03-23T11:45:29.980977Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980983Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9bd8b0289955a6eb791f45c3203f08a64cbd457fd1b9d598a6fbbca5d0372e36", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "abacd25c-6918-565d-aa0f-f0e2f8831dd1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970366Z", "creation_date": "2026-03-23T11:45:29.970368Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970373Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b61b09f6313a567b6fcdec2e961f6a118a2314aed5519dd2b9830c4ace758c03", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "abb1658e-0415-5854-9016-a974522c365f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140565Z", "creation_date": "2026-03-23T11:45:31.140567Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140572Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1971f32f211b10e0b13b1fc29389704ee30f5a0af76e8b44bbc36cc3a0a75ca0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "abb674bf-d003-5d6d-bda6-bd9d518bcee5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144411Z", "creation_date": "2026-03-23T11:45:31.144413Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144418Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd0c0af7261a6ca81fa1981e4e51b6502216e75f9fc80af30d8b4c8bd6958669", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "abc988bb-db47-5053-a44c-22d089808b27", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460664Z", "creation_date": "2026-03-23T11:45:30.460667Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460691Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1cedd5815bb6e20d3697103cfc0275f5015f469e6007e8cac16892c97731c695", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "abca81ef-5292-55ef-9a00-8486d991ccf5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976464Z", "creation_date": "2026-03-23T11:45:29.976466Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976472Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1716d4c523aeea9703032ca93eb9668b9a16f542c00cec248b0a1c132d80bb15", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "abe415a1-2eff-5129-9a7d-7b4946486789", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150071Z", "creation_date": "2026-03-23T11:45:31.150073Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150078Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3ee93b7d88c8b12daa635eabbf410dcc85ca59d09236bc370e9d3cde005d02fa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "abeb7395-225a-57f3-b3c0-39b9c726e960", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978248Z", "creation_date": "2026-03-23T11:45:29.978250Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978255Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f", "comment": "Malicious Kernel Driver (aka wantd_2.sys) [https://www.loldrivers.io/drivers/aa687f89-4f3b-4b59-b64e-fee5e2ae2310/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "abf38035-9853-5f02-8d5c-5c258db158db", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611694Z", "creation_date": "2026-03-23T11:45:29.611696Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611701Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "68b0a239031b158e2927bb5dc8844b662cb4616ee8c1363fa729aa8fa0d86cff", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "abfa4c63-ffc3-588d-9628-4e25ba6b93b4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820271Z", "creation_date": "2026-03-23T11:45:31.820274Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820282Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "906dbf004c8a502c821be0783c09c0834f0def4adf74402b5181bad93fb04d19", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ac1102a0-ca1d-54a8-b069-1371c83754e3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154587Z", "creation_date": "2026-03-23T11:45:31.154589Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154594Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d6d0573dd11a89a44ce660398984afd191466af7f3fe96e719ffb4b7fe590fa5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ac1a02a5-e2f0-5f95-be88-8007595339c4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808414Z", "creation_date": "2026-03-23T11:45:31.808416Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808422Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0d01999f5cdc1e01f5e426d1464e2ee6f0c16f8734a669f9bef5c8428e8671c7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ac239dd8-d616-5b79-9439-a3b3ed002616", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479722Z", "creation_date": "2026-03-23T11:45:30.479724Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479729Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0f1fbadc1d7a77557d3d836f7698bd986a3ec9fc5d534ad3403970f071176f7", "comment": "Malicious Kernel Driver (aka a9df5964635ef8bd567ae487c3d214c4.sys) [https://www.loldrivers.io/drivers/ac62e709-4aa5-41f4-87b1-b811283d70d1/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ac308b0a-0da6-5a63-95a9-a36d91b82959", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608439Z", "creation_date": "2026-03-23T11:45:29.608441Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608447Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9dab4b6fddc8e1ec0a186aa8382b184a5d52cfcabaaf04ff9e3767021eb09cf4", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ac33c23a-b63c-5a85-8f66-416d184c93d4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479494Z", "creation_date": "2026-03-23T11:45:30.479496Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479501Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f83465d2c38c20a3854d86c293867de3baae2f90419dbe82405bc9f9dd7bbd8c", "comment": "Vulnerable Kernel Driver (aka segwindrvx64.sys) [https://www.loldrivers.io/drivers/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ac34a4bb-cabb-5b12-bfbb-06211fb17fe6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467707Z", "creation_date": "2026-03-23T11:45:30.467710Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467719Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bf2ab728d27075bf2245ddc3257ad8df5179c8c4a449493ea995af9a979d6a2e", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ac500047-8912-5920-8a48-b05494b6776f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813504Z", "creation_date": "2026-03-23T11:45:31.813508Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813516Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0d6993f06763fda1aba7f09487c81c378a6e3d435827d15e778fc499826b205", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ac514672-2272-5b59-9695-75b97a22e403", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824162Z", "creation_date": "2026-03-23T11:45:30.824165Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824172Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ce6de057bd961747bf279abe43591823512bfc218b3e378357dc3a6282db5cc6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ac5576e5-e8b7-5aea-a541-72fe76d717ac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149863Z", "creation_date": "2026-03-23T11:45:31.149866Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149886Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b240ed7b56af0a9f695504d388a2cc809de65c912d7cfc343b5335cc6aee59a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ac62b5e9-2556-562f-9d96-75d2e7832cf3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978188Z", "creation_date": "2026-03-23T11:45:29.978190Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978196Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "265010deb10af80885726edc450867fa69acbde449b51d13bf891322ff5c1c2d", "comment": "Malicious Kernel Driver (aka 0x3040_blacklotus_beta_driver.sys) [https://www.loldrivers.io/drivers/8750b245-af35-4bc6-9af3-dc858f9db64f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ac67d270-0fb9-527b-87d7-ae97189c7d7c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142754Z", "creation_date": "2026-03-23T11:45:31.142756Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142762Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "917b94760c0c98d00ad1f3b6955cba990514e5062ec3c9ab0ba77905972d2cfc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ac72a93b-ec40-5cb2-bfa8-d25f0cd94075", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975429Z", "creation_date": "2026-03-23T11:45:29.975431Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975436Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "192a27335de23a008c05efe24ea1fa0f633dd8ddc68d904466e4e2741a0bb645", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ac76ff14-b24f-5622-a756-6dfedc236c38", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468259Z", "creation_date": "2026-03-23T11:45:30.468262Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468271Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "770552bfc6598f165443da94ac0c6aca00f95a6a9a8e89713f9980730d9ee9c2", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ac7dc6af-2017-52ff-93a4-02537900cb57", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144982Z", "creation_date": "2026-03-23T11:45:31.144984Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144989Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "722ae57db8ce8f7b8cc28714e5c151f812411adbbd27b5e8d5aa75b1f94dd22b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ac830ddc-0dfa-54b1-8aa7-93eb3e91b9c3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609684Z", "creation_date": "2026-03-23T11:45:29.609686Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609691Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e665962c827ce0adbd29fe6bcf09bbb1d7a7022075d162ff9b65d0af9794ac0", "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ac889e37-06f3-5744-99e8-e15fee9cf206", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.478599Z", "creation_date": "2026-03-23T11:45:31.478603Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.478613Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "33debab1d4d09a0177eb0dccd4764deebbbc19e214385943e257375921e8a323", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ac8bd08d-27d9-5298-85a3-f3b6827ad944", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971857Z", "creation_date": "2026-03-23T11:45:29.971859Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971865Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ac96c034-0647-517a-8d83-9ef765ce5e2c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818541Z", "creation_date": "2026-03-23T11:45:30.818543Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818549Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "53b9e423baf946983d03ce309ec5e006ba18c9956dcd97c68a8b714d18c8ffcf", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ac9ef523-c587-564d-9c65-fd574ce547ea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154691Z", "creation_date": "2026-03-23T11:45:31.154693Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154699Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "619dc10d02ca22d881f02a70f0ad225f736a6f0fc2e1d29eecc275dc3808d7ba", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aca022ec-227a-5f66-83b9-a313a38489c3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494112Z", "creation_date": "2026-03-23T11:45:31.494115Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494124Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c55b9674a4dc7a17515ab97db846ce4cbed9e7f9ce2e3e58d860d71b62d3b32a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aca237bd-25fa-5e77-b203-df275f682bb6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970123Z", "creation_date": "2026-03-23T11:45:29.970125Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970130Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6c919efdad21b7d9884903b9d539fbb50dc418ff2c2753c12b35b9ace4c96d73", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aca6bd2b-253b-5e01-aa5a-498210dc63e6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145508Z", "creation_date": "2026-03-23T11:45:32.145510Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145515Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6bc0e1c104fac4a8caa4237c7ae181ca11a043a3ee26426aeb7a90dc40281fad", "comment": "Vulnerable Kernel Driver (aka szkg64.sys) [https://www.loldrivers.io/drivers/375e8de3-aae4-488d-8273-66744978b45f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "acc33743-5704-544c-b2a2-485eb61c28a0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969133Z", "creation_date": "2026-03-23T11:45:29.969135Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969141Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1a42ebde59e8f63804eaa404f79ee93a16bb33d27fb158c6bfbe6143226899a0", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "acc37293-643e-5fe1-bb73-21d55fd3db4e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487218Z", "creation_date": "2026-03-23T11:45:31.487220Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487225Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c860d22c8a57469b55311b8b6cb3e00eb19b80f94a8da65511faa6a4d1977789", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "acc46334-99cb-5ff2-a332-c8a710273ae3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.471455Z", "creation_date": "2026-03-23T11:45:31.471475Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.471496Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8ce399c685eafd2405f1c89108fdef0086a759426c0d3546759b8ef0de850b5e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "acc554c8-cd52-5981-bae1-8cc535db9036", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456393Z", "creation_date": "2026-03-23T11:45:30.456397Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456406Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "29cf2d374d7afe009bbf60ba5f50db7016314de682cf3a6f90c0996810c821ef", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "acc71146-1955-5576-b469-e990f3f26a92", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819446Z", "creation_date": "2026-03-23T11:45:31.819448Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819453Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f580d408a777774f9f5d5079b359e7f1d0acffd35a15bda104f01870d39c0178", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "accb8766-e9e4-5a2c-8149-b48dae1efcb8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141363Z", "creation_date": "2026-03-23T11:45:31.141365Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141370Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d3cc4151dad39a2cfdc74620401beee39ba77df791962086aabf711c6d06b607", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "acd129e9-99ce-54cc-bab3-fa0adef0827f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827067Z", "creation_date": "2026-03-23T11:45:31.827069Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827075Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff7ef87064ea5a88eb8eca036025bb081a00d2ab1c24c0cec8ec2fb0f27f0c95", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "acd84c09-c1ba-5615-b436-82c5c3ab4e60", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490731Z", "creation_date": "2026-03-23T11:45:31.490733Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490738Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "010a79d3cdb03960969c84bb0316fef86defd97ab61530e34d734b9d1937fd33", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ace12cd4-a45c-5982-889a-b126ba838518", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816617Z", "creation_date": "2026-03-23T11:45:30.816619Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816625Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a5a4a3c3d3d5a79f3ed703fc56d45011c21f9913001fcbcc43a3f7572cff44ec", "comment": "Vulnerable Kernel Driver (aka avalueio.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ace92d33-62c8-581d-86c8-80ed8273d96f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456652Z", "creation_date": "2026-03-23T11:45:30.456655Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456665Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0dd55b4dc7e561dfe413b029673674e2a5381f5f4daede03ddf3484310a6e11", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "acecf9c5-e859-5d29-ac36-f2f1c9d83a6b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970703Z", "creation_date": "2026-03-23T11:45:29.970706Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970714Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "200f98655d1f46d2599c2c8605ebb7e335fee3883a32135ca1a81e09819bc64a", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "acf0ae4e-9d8d-5232-8ffe-eaddd033dc17", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831585Z", "creation_date": "2026-03-23T11:45:30.831587Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831592Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "606625f34031d5e1ccbb16b336036e8435d17ad575a4198ad36c4cd86b33630e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "acf7be41-3bef-50a2-863f-5e08e2b273ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143308Z", "creation_date": "2026-03-23T11:45:31.143310Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143315Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff5d3929a5f07a680cd3de28723f6690d813a538c69b28f1253210d0955ed587", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad0251db-787c-5625-82b9-8d3f489fdbc3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478960Z", "creation_date": "2026-03-23T11:45:30.478963Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479104Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6279821bf9ecced596f474c8fc547dab0bddbb3ab972390596bd4c5c7b85c685", "comment": "Vulnerable Kernel Driver (aka rtcoremini64.sys) [https://www.loldrivers.io/drivers/b9e01a11-6395-4837-a202-0c777d717a43/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad027320-32db-5aaf-85ce-62f37fbb1913", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492214Z", "creation_date": "2026-03-23T11:45:31.492216Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492222Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d5c2c18244fcba7fd61f1c711697451457364fbc9e8bb3638327c106776049b0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad0d112e-a621-51fd-b230-831f25a8b561", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480205Z", "creation_date": "2026-03-23T11:45:31.480209Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480218Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8435df2f25910f5ce3ac9a0c6ec1d3c784e2ea2d02cd600b0d61e22d48b8ad9d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad17b47a-7788-5453-8342-1a7e94ce21fc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146420Z", "creation_date": "2026-03-23T11:45:31.146422Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146427Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f5240c956d8321d423461dac7cfcc73d1ccc3526c251585036eed33daf40d33c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad19b531-06e9-54a1-b2e5-a051e3eadd3b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810629Z", "creation_date": "2026-03-23T11:45:31.810631Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810636Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4912c468ac1757f73ce1dabc7f02d89dd455bd2a9d8da51dd6bae5512967aac3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad223995-021e-5b4a-a785-923f0dc4d652", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615327Z", "creation_date": "2026-03-23T11:45:29.615329Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615335Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9a1d483d6ca994942533fcfe10c11b1725bbb9551e435476453a57ce7ff17029", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad275f03-fe03-503e-80c5-a1e84c1a0c3c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976080Z", "creation_date": "2026-03-23T11:45:29.976084Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976090Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a02b0b4bc2f2cc9034f98d6a35550c56e3e30a09ee16dd61587405a3a92f12ca", "comment": "SystemInformer driver (aka systeminformer.sys, formerly known as kprocesshacker.sys) [https://github.com/winsiderss/systeminformer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad2937dc-8b07-54eb-8763-9bc4f30d6de7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969630Z", "creation_date": "2026-03-23T11:45:29.969632Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969637Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eb0767d3b74dd3cdd6bb806b647c61afb187cc055ac9730dc8d43a4e6ea095f9", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad489102-a99d-5477-b260-b0b2635bc8d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823833Z", "creation_date": "2026-03-23T11:45:31.823835Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823841Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5a63aff2747f2d3f20b4c9b2ca1106d901fa0d7c5cd39f9a4e50489c1ccc7c15", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad522b41-052e-5973-a6ec-6a8c3bd097fe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830059Z", "creation_date": "2026-03-23T11:45:30.830061Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830067Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b7fe1e99997e1172bac0d62b1519c52784f586497f86147be79ca3eda8a3a9b4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad5620c2-c060-5049-ad21-3e13700950a9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147587Z", "creation_date": "2026-03-23T11:45:31.147589Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147594Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7f9934c82ece5f1d1f1ad013c969a5bb691006a9a003473a12cae809e280ab58", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad5d44bf-0ff6-5160-9e6d-b3483154073c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816898Z", "creation_date": "2026-03-23T11:45:30.816900Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816906Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b44dfe8ea675910799fefab7626993926c04bad32091ece3dbdad5add31a6f15", "comment": "Vulnerable Kernel Driver (aka CP2X72C.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad5dc8a5-2939-5264-9160-26080b181598", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618116Z", "creation_date": "2026-03-23T11:45:29.618118Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618123Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "747a4dc50915053649c499a508853a42d9e325a5eec22e586571e338c6d32465", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad651037-1a8f-5600-bd47-eac407208934", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981129Z", "creation_date": "2026-03-23T11:45:29.981131Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981137Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5d7bfe05792189eaf7193bee85f0c792c33315cfcb40b2e62cc7baef6cafbc5c", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad67379c-3778-576e-b45c-6ffb795bbd94", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828076Z", "creation_date": "2026-03-23T11:45:31.828078Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828084Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d200394680f969b902951bec3b04794f63b80feee6cbbf596a0dda1693153087", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad691297-4e28-5fd6-a59e-88e860c5c6b9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835555Z", "creation_date": "2026-03-23T11:45:30.835557Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835563Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d2e56c0054d51b0a3a1493e2bcbe44abac80c783f31377c8896318f9177c3b0b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad75de23-ef40-5718-abc1-35a86666c845", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827125Z", "creation_date": "2026-03-23T11:45:30.827127Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827132Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f5df280ce9d7e58d1c616dd31b791b6242e760dd08b0ba6ce0a75519ae4e3248", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad77415c-90d8-504d-9557-3afd64f3b62a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832297Z", "creation_date": "2026-03-23T11:45:30.832299Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832304Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b39e438dd063696dcb010e39f49601c04b06e603c64b65fa5f1653ab0f31cff8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad7a00b0-f5cc-57f3-808f-b0b8755ba927", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972439Z", "creation_date": "2026-03-23T11:45:29.972441Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972447Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1452103306895429c54ba1735800b8c8694c3165cdef32ca12ed6ce348019292", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad832e4c-6586-56c6-b747-6b353cc47f42", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145165Z", "creation_date": "2026-03-23T11:45:31.145167Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145172Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "de7cbbcb95e3079eb3b7afc47410796ef072218ad844e00f154594d0bc9064e4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad846fc2-ae2d-5079-bb3f-848ec8817bc5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974836Z", "creation_date": "2026-03-23T11:45:29.974837Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974843Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "44120b712e4b5ef3b302f03b7aa61f9f6fe6820d966addbcc43d8e09402e5906", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad8995f3-7069-5e4f-8a20-32bdb162412f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491831Z", "creation_date": "2026-03-23T11:45:31.491833Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491839Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff2e6875b1946c037a15d4194e7c4e5551576236577b336997e590244141ff54", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad8e4eb7-a4aa-5402-a1e2-8fa34145a1da", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829027Z", "creation_date": "2026-03-23T11:45:30.829029Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829034Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4f73a08257789f98459f92c48c8dca7bd1616fb568823f230f17d559c27aee22", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad8ee40f-268c-5b96-9c9d-2a2fd17d7e65", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621176Z", "creation_date": "2026-03-23T11:45:29.621177Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621183Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c55b6620216c195ce24ef21e6ab7e181146fccf17c06606c4cd419fe3e45bd7", "comment": "CoreTemp Physmem dangerous drivers (aka ALSYSIO64.sys) [https://www.loldrivers.io/drivers/4d365dd0-34c3-492e-a2bd-c16266796ae5/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ad9142dd-5509-5c3d-857d-fb1db26fd67b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457245Z", "creation_date": "2026-03-23T11:45:30.457248Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457257Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "198a4dc1c4bd7eff31ff4d1952a592170b25bfb5fedcd9d5d4c4fd3707337e42", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ada923e8-238a-54d0-bec6-ce48fff76c39", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973620Z", "creation_date": "2026-03-23T11:45:29.973621Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973627Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4bc0921ffd4acc865525d3faf98961e8decc5aec4974552cbbf2ae8d5a569de4", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "adb46306-ea15-5618-b8d6-56f05297f3d7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821236Z", "creation_date": "2026-03-23T11:45:31.821239Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821247Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4f44b9c956a98d453454f79d91dbb4e8768d5b671e4a413609e2cd866778d872", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "adc71f6d-2bf8-54d6-bd6b-0adab8d56586", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973982Z", "creation_date": "2026-03-23T11:45:29.973984Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973990Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c9014b03866bf37faa8fdb16b6af7cfec976aaef179fd5797d0c0bf8079d3a8c", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "adc740ca-4e15-5afe-88c0-66643cbde6ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618305Z", "creation_date": "2026-03-23T11:45:29.618307Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618312Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "df996d5a06a2e2ecc087569358b1957d500b176ec7ed37031bcee440963d9d80", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "adcfe4ca-e716-5ffb-91b4-a3b651fb7a61", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810558Z", "creation_date": "2026-03-23T11:45:31.810560Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810565Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a1150b251622c9ae01cb7c1939f77de16a2543b37d3cb46271f3aadc314310f5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "addbaf10-deb3-55b8-b25b-3671ee03fd11", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833534Z", "creation_date": "2026-03-23T11:45:30.833537Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833546Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "22e67a311baf7084390e9a1b32259f687b83cae75d6632be82ed8bf77a4facfe", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ade3e6ff-48cc-5ab3-a065-f8da63c5eedf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817742Z", "creation_date": "2026-03-23T11:45:30.817745Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817753Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7c62a659a4f8fdecfd5a64f4f4391852996db564d123fc5d20e3f3dfb11ed62c", "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "adedd4e1-a3ab-591a-ade1-5844e56399a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456076Z", "creation_date": "2026-03-23T11:45:30.456079Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456088Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "13d7c729c019c1c5a4b3e9fb27d1dd0b992fb7099f4314e011aafcb3472b7107", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "adfd0926-734c-5530-adc3-a93f0d39203c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145817Z", "creation_date": "2026-03-23T11:45:31.145819Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145825Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "53ff5a5d249b46963193ad6ace0ad2eed3015f75c21f336a9356587a24626039", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ae04f8e0-70d0-557b-8c0b-82a6429b5728", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454036Z", "creation_date": "2026-03-23T11:45:30.454039Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454048Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0eab16c7f54b61620277977f8c332737081a46bc6bbde50742b6904bdd54f502", "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/bc5e020a-ecff-43c8-b57b-ee17b5f65b21/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ae12a09f-49b3-5257-af6a-3cf87530f738", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829202Z", "creation_date": "2026-03-23T11:45:30.829204Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829209Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "341112cb43a877160f2c2b49c815e00d2069dbd3d7151660c1bd7aa0a48798de", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ae1fcc51-187e-5984-8bdb-f96e64c33ed9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817304Z", "creation_date": "2026-03-23T11:45:31.817306Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817311Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a7fd5ee391257e27e9f62cba119818229e873fe4ac1ff3d8ce58ceb461cd3679", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ae29637f-c982-56f5-844e-863e2ccfa65a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835910Z", "creation_date": "2026-03-23T11:45:30.835912Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835918Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d60c23bb3d66311291cf83fd65a368d7633138123d3128e5c7102f5dbc810603", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ae2e71ba-7048-5943-94ab-52026fb9fcd8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477290Z", "creation_date": "2026-03-23T11:45:30.477293Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477302Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0dc4ff96d7e7db696e0391c5a1dda92a0b0aedbf1b0535bf5d62ebeec5b2311c", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ae34fd73-6596-5769-9458-9605fa08ca8a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825132Z", "creation_date": "2026-03-23T11:45:30.825136Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825146Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "453ebab8125afc45e99d961bdd0471e6ac75d17636d8a07f5b1ec50a2e6c7ee7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ae3cf975-c2ac-58b3-a54a-9a37ac42cf65", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608631Z", "creation_date": "2026-03-23T11:45:29.608633Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608638Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c5bd7563d8f97c73577cc0e90b5f7b7764940250067bf4cf6e739d27ffd26a5b", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ae47271a-4399-5cd6-98cb-b9b7f4d4d151", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141121Z", "creation_date": "2026-03-23T11:45:31.141123Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141129Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d4e4ec99d8c460bbe7a13c1e8ff54dedcbf45b6fbd204eb6a628c25933d8f2b5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ae48bbea-c71b-5880-a655-221694433305", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462199Z", "creation_date": "2026-03-23T11:45:30.462203Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462211Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "82fea578188662b4ed6df4c3aaaf6ebae72a6cd2f8bf135a89150cca1769156b", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ae526818-b10c-57db-aec5-d7946e11b165", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818213Z", "creation_date": "2026-03-23T11:45:31.818216Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818224Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "557df7d5121ad120c2969b470757e44291abc2bdd2e3b0c60772d5c5f1bc23c2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ae596425-e3e7-5329-8a5c-5641c3e37ede", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830257Z", "creation_date": "2026-03-23T11:45:31.830259Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830264Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "429f5d277168ca8c967b1502381190fbaa147707feb6ff580a371fe29045337a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ae5e89b9-4a3c-50ad-a710-2655ba969617", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460408Z", "creation_date": "2026-03-23T11:45:30.460411Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460420Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "54bf602a6f1baaec5809a630a5c33f76f1c3147e4b05cecf17b96a93b1d41dca", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ae827a04-2ff5-58fa-bbec-8574e2dfef4e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469486Z", "creation_date": "2026-03-23T11:45:30.469489Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469498Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "374bb09b4d6a9f21a5e2320343068bd44848f396d9b25a6f4d80931e6d9505ce", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ae830a4f-c9dc-5d2a-b666-054bde0122bb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491369Z", "creation_date": "2026-03-23T11:45:31.491372Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491380Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "97445ce282a3f1fa81f60aad2897c04627510fe8aabf82bae7dab7c3557bccec", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ae86594e-5289-5edf-852f-c361582b9f21", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967567Z", "creation_date": "2026-03-23T11:45:29.967569Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967575Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f83c357106a7d1d055b5cb75c8414aa3219354deb16ae9ee7efe8ee4c8c670ca", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ae876ee6-441e-545d-81e3-9eba6c401dac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150461Z", "creation_date": "2026-03-23T11:45:31.150463Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150468Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fe1f8fbbcc623adace57f324e95ba90c3d31180dda932e84bcb6172da78af133", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ae8beed8-1877-5929-976b-19aeda4277d5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477516Z", "creation_date": "2026-03-23T11:45:31.477519Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477529Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4fe85d8e2dc09a022c6c2a2f3cba4c656bf74785a896de052b60c67fa3ba55b0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ae907d59-39c2-5da8-ba3c-b4dfeb5d1420", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608103Z", "creation_date": "2026-03-23T11:45:29.608105Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608110Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cf3a7d4285d65bf8688215407bce1b51d7c6b22497f09021f0fce31cbeb78986", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ae98a251-5578-5348-b099-c2ecb176884e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610794Z", "creation_date": "2026-03-23T11:45:29.610796Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610801Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dbb457ae1bd07a945a1466ce4a206c625e590aee3922fa7d86fbe956beccfc98", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aeb7583e-f49d-5838-868f-ae10be7abc2f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604699Z", "creation_date": "2026-03-23T11:45:29.604701Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604707Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "de6bf572d39e2611773e7a01f0388f84fb25da6cba2f1f8b9b36ffba467de6fa", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aec922b7-116e-5c07-9413-eea77b1a5cf9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818465Z", "creation_date": "2026-03-23T11:45:31.818468Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818478Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a079dc1a975c5ec4aa199a683917e83aa919f60d0fa4a2db2964fab0c79949bb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aed057d0-78e2-5a96-8df2-66378a4cc35a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826207Z", "creation_date": "2026-03-23T11:45:30.826209Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826215Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3438e79b93d2a31d2da9a18a806cf3baaf0e75ae238cad04e3013e7e546256f1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aee014f5-8d4f-5fe2-9763-451b59aac9ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470490Z", "creation_date": "2026-03-23T11:45:30.470494Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470503Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bdd173909efc3bb3c5d216ea0fd9ec5e935c2572ef48973eeb0917b733ff754c", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aee701b0-c2e3-531a-b1fc-dd3bcf7eb01d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607204Z", "creation_date": "2026-03-23T11:45:29.607206Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607212Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fe4270a61dbed978c28b2915fcc2826d011148dcb7533fa8bd072ddce5944cef", "comment": "Dell vulnerable driver (aka dbutil_2_3.sys) [CVE-2021-21551] [https://github.com/SpikySabra/Kernel-Cactus] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aee838be-03a4-5c4c-a1a3-3df8ccb52f2b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984982Z", "creation_date": "2026-03-23T11:45:29.984986Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984994Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eb11a4270a6980a97ea8775422dacbd1e763b7e5898f0a80c71c91449fff7ab4", "comment": "Dangerous Physmem Kernel Driver (aka BS_Def64.Sys) [https://www.loldrivers.io/drivers/4a80da66-f8f1-4af9-ba56-696cfe6c1e10/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aeecb672-0bee-5bc7-b8b9-749cc6c06120", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985898Z", "creation_date": "2026-03-23T11:45:29.985900Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985905Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "24c900024d213549502301c366d18c318887630f04c96bf0a3d6ba74e0df164f", "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "aeee4d0e-095b-5bb9-8c98-17a3ef01269e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981314Z", "creation_date": "2026-03-23T11:45:29.981316Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981322Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9e2622d8e7a0ec136ba1fff639833f05137f8a1ff03e7a93b9a4aea25e7abb8d", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "af0ce512-2ea3-5221-a5ae-eb53191a24df", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487631Z", "creation_date": "2026-03-23T11:45:31.487633Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487639Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c6692a2d344410c24137e8b1d9fb8756167c7e29139a9148699bc68144faf2fa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "af0d2ee1-0202-5f5f-a533-7385c2d84670", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825835Z", "creation_date": "2026-03-23T11:45:30.825837Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825843Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d029a7d13535a3f296fa0699be78aa3566b92593f60d5842c816488cff36693c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "af12f81d-eb60-5ea0-bc6e-1bd268a67ec4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477607Z", "creation_date": "2026-03-23T11:45:30.477611Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477620Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7cf756afcaf2ce4f8fb479fdede152a17eabf4c5c7c329699dab026a4c1d4fd0", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "af18d9e0-72d1-5a9f-ae4f-1a4c62ca085f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151212Z", "creation_date": "2026-03-23T11:45:31.151214Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151220Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ccd57ee422366be97722b902cf530d071bc7315cbad77c6ebf86a432f685c4b4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "af1a895d-8eea-58d9-93d9-6eb2aa8d5c10", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472094Z", "creation_date": "2026-03-23T11:45:30.472098Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472107Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "69640e9209f8e2ac25416bd3119b5308894b6ce22b5c80cb5d5f98f2f85d42ce", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "af357cc6-1102-5859-ae0c-385eb26338b6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617799Z", "creation_date": "2026-03-23T11:45:29.617801Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617806Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "da8945bd5c693c0593c9d0e3bda49bb1c6007cb25643c95708c6b10bef7c136a", "comment": "Getac Technology vulnerable BIOS update tool (aka mtcBSv64.sys) [https://www.loldrivers.io/drivers/3bc629e8-7bf8-40c2-965b-87eb155e0065/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "af3cbd70-77ed-5e3e-a934-e83c74938306", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824682Z", "creation_date": "2026-03-23T11:45:31.824684Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824692Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1a84cd1c7cc9c0329e65fd5735586285239a010a5e83dd126c7504179a80918f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "af3d05a9-3635-501f-b289-43481c1d36a7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808783Z", "creation_date": "2026-03-23T11:45:31.808787Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808796Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fbe27ef8d48a5cf80ffd8e085cc4d40857fc946b0e3b99d4da0d1a765ee0639b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "af488912-f1d2-5ca4-ba64-a2217e0d7f01", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607630Z", "creation_date": "2026-03-23T11:45:29.607632Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607637Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "696679114f6a106ec94c21e2a33fe17af86368bcf9a796aaea37ea6e8748ad6a", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "af48e9c3-a04f-5b91-837c-2c2c2ab58bca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604573Z", "creation_date": "2026-03-23T11:45:29.604575Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604580Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5db0fe4b16744f14b4ab1d255a4d3c63710d0073417bae9bb3bfeef4a09d38e0", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "af58c950-3979-54af-b34b-46eec406dadb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615697Z", "creation_date": "2026-03-23T11:45:29.615699Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615704Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a502c904a7fe42183d3ea66f1e01fbd4321eb202280b054b9124dd333f093ba2", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "af5ab8c8-e7eb-5beb-a908-cd7268cc62de", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814147Z", "creation_date": "2026-03-23T11:45:31.814150Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814166Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8862e36702119584f443eb9a4bcb8df31cd6364ed2e545e6fd0d2bdcc3f453d1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "af60699a-fd52-5f26-933e-09bfa83ee05a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481186Z", "creation_date": "2026-03-23T11:45:30.481188Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481193Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4d7d06d2f6af50ff5810c8d6a818cb59da635a56c0fdae5d0ed3d0aee4bedf3e", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "af6bc271-2a53-5ea8-9be0-14998853cb62", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980882Z", "creation_date": "2026-03-23T11:45:29.980884Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980890Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ffd03584246730397e231eb8d16c1449aef2c3bc79bf9da3ebf8400a21b20ae7", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "af81c2bd-ee89-567a-843f-3a116ea3e92f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818031Z", "creation_date": "2026-03-23T11:45:30.818033Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818038Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "442f12adebf7cb166b19e8aead2b0440450fd1f33f5db384a39776bb2656474a", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "af8c72ce-778f-5c29-bcc4-0a45ec488456", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813142Z", "creation_date": "2026-03-23T11:45:31.813146Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813155Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "94fb2c5a93881c8202ece91e31428061bfb595cb17126a64b4f595fa99798c2e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "af9c28c1-7faf-5062-b560-ddb9f86b4e7b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811729Z", "creation_date": "2026-03-23T11:45:31.811731Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811736Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f7f31df69b8dc1460966ba3c1921cf051ae82b33524b7d1670108b87f727ad8b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "afad859b-ccaa-5da7-af56-cd0b67e64e0a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477637Z", "creation_date": "2026-03-23T11:45:30.477640Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477649Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "07af8c5659ad293214364789df270c0e6d03d90f4f4495da76abc2d534c64d88", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "afb2121e-e12e-5702-ab1d-a9e9cfeba8c6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481221Z", "creation_date": "2026-03-23T11:45:30.481223Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481229Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e2decc56788d257ce7f6b1915c90ea5a54fb5232f2bf9f311958de495a4eb308", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "afbba428-730f-543a-99d9-6da7af2060ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983508Z", "creation_date": "2026-03-23T11:45:29.983510Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983516Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b583414fcee280128788f7b39451c511376fe821f455d4f3702795e96d560704", "comment": "Vulnerable Kernel Driver (aka KfeCo10X64.sys) [https://www.loldrivers.io/drivers/3e0bf6dc-791b-4170-8c40-427e7299d93d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "afbc4def-affe-5dce-a46f-c422ef56df2a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979550Z", "creation_date": "2026-03-23T11:45:29.979552Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979557Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "afbfb572-15f3-5e1b-a2a7-b52448414d5f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830464Z", "creation_date": "2026-03-23T11:45:31.830466Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830471Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9bf3fa1666670063f79fff789c55dcff9c6038f642b92f9fbc7ba53ba7460e21", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "afd1dc69-25f3-53ee-8ea4-fb89a1f5d027", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972950Z", "creation_date": "2026-03-23T11:45:29.972954Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972960Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5cfad3d473961763306d72c12bd5ae14183a1a5778325c9acacca764b79ca185", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "afe33387-da13-5e84-9138-ea7fe3012183", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619609Z", "creation_date": "2026-03-23T11:45:29.619614Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619619Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0e53b58415fa68552928622118d5b8a3a851b2fc512709a90b63ba46acda8b6b", "comment": "Vulnerable Kernel Driver (aka SysDrv3S.sys) [https://www.loldrivers.io/drivers/cf49f43c-d7b4-4c1a-a40d-1be36ea64bff/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "affbc424-49e7-558f-a44d-4257dd516943", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825989Z", "creation_date": "2026-03-23T11:45:31.825992Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825997Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6661ef3ce558cbdf27a01a4a4a6084fc2401cf4c13ba8615ec4690538b332f09", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b003ff71-c6fd-507d-a73f-5f206ad1ee3a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156397Z", "creation_date": "2026-03-23T11:45:31.156399Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156404Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f8c7f9b8f55ac4236e25f9bdf962f507c3cf2e7f2d57782e9c9a0ac88a60da3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b004ef32-a9f2-59b6-a0c7-5e340b6a1588", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480192Z", "creation_date": "2026-03-23T11:45:30.480194Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480199Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "51145a3fa8258aac106f65f34159d23c54b48b6d54ec0421748b3939ab6778eb", "comment": "Vulnerable Kernel Driver (aka GEDevDrvSYS.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b005447e-f821-5d64-89ef-549eba2844f1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981349Z", "creation_date": "2026-03-23T11:45:29.981351Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981356Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eba14a2b4cefd74edaf38d963775352dc3618977e30261aab52be682a76b536f", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b0278ac7-09f4-5351-8bc0-d7477acca052", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836397Z", "creation_date": "2026-03-23T11:45:30.836399Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836404Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6af8011def8267140004e3d2f779544862127d3840aaf570026ee5c5418e62d2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b03e29a1-dcbb-51c2-a01f-057ae6db0957", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825220Z", "creation_date": "2026-03-23T11:45:31.825224Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825232Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f307933a0d6a66dbf391be25208cdb286720ba443887f6d3d7abf3bbc494ebe1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b0416042-feaa-570d-9c09-c7629be61d3f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473815Z", "creation_date": "2026-03-23T11:45:30.473818Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473826Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7f8cabb101d8ee0d76444fa4caa115b88b53ad8bd95516cae563bf92b910fa99", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b04aa3dd-d6e3-5388-8dc2-7572b5114c33", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160794Z", "creation_date": "2026-03-23T11:45:31.160797Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160802Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0b09543f14f144b11c4628de5a69aef95d4fa2682759498bb7b267fde8edefb8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b04c601b-6a4b-5178-9a28-8ecde24948a6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978207Z", "creation_date": "2026-03-23T11:45:29.978210Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978218Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "640eeb3128ae5c353034ee29cb656d38c41353743396c1c936afd4d04a782087", "comment": "Vulnerable Kernel Driver (aka t7.sys) [https://www.loldrivers.io/drivers/7196366e-04f0-4aaf-9184-ed0a0d21a75f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b0536d73-9dbf-558b-a122-7766f4723d25", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818736Z", "creation_date": "2026-03-23T11:45:30.818738Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818744Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fe9c104a3bb9184a8f792f3f8a3e90d83b9f19cf83cd93d116b02e17f54d727d", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b058cd85-82dd-5835-8c8c-472b01fcb7a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477035Z", "creation_date": "2026-03-23T11:45:31.477039Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477049Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b1283f50cc1b7853ca7fdee3cd3c8b3d011ce3aabb4d6e83ec9217cfdbc322d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b069b788-316d-5ef6-b7b1-4a43387769be", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151414Z", "creation_date": "2026-03-23T11:45:31.151417Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151426Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b96332b61a4792bc73266b1e9f21fbef0bd0797a9fba283397285f5230028318", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b06dddd3-9b6d-5f0b-9ce6-0fe8c2ecb925", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468406Z", "creation_date": "2026-03-23T11:45:30.468409Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468418Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5e1c7bdb1fa71145a0704a5f00d894043a7754cb82d1d8213cb6a899bd767cab", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b06fbcd9-6018-542a-87ce-52e97c712370", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817347Z", "creation_date": "2026-03-23T11:45:30.817349Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817354Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "42f468244050bafdcfc061c0eb468fd78267f93404b8703353d68fdca8b4355e", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b0895aeb-4d37-5818-9b8f-ca4f6ccf4c52", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486858Z", "creation_date": "2026-03-23T11:45:31.486861Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486888Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a0ef83ed123736df20c481c60a146b1cd2d77aa208b3fd7afa97e473fd818307", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b0bac34d-09a7-5b2d-ba66-17b7e555e11d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968350Z", "creation_date": "2026-03-23T11:45:29.968351Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968357Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b45d78a6780f125143dbd198ac2439be78424e7ae37a4234541ecb327dc190c1", "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b0bdafa1-f131-56b9-bfca-c7335ce4845d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486694Z", "creation_date": "2026-03-23T11:45:31.486697Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486705Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "99b45b19810074d650a66ea02e45c47c2d700fecb0af241f17c2a668022fc5bf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b0c12e72-aed0-5694-bb56-b983a18e86ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140764Z", "creation_date": "2026-03-23T11:45:31.140766Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140771Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fdfe2efb742559b5ab8c16f8db3cfd184ade59496e50d95bc6c6e12ae1165a83", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b0c4eebc-415a-5783-ad1e-26e4f2668eaf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476769Z", "creation_date": "2026-03-23T11:45:30.476773Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476782Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5ebfc2c2fc43fc34cc98378f627e6147af473cb37076f4c2ba278210bd88b2bf", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b0cc75f3-af79-59e6-80e6-43d76c7d0348", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826007Z", "creation_date": "2026-03-23T11:45:31.826009Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826015Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6484833b1554e5113239e79a6ea3265863e4a9e03eb3817b6e15c9bd4cfdacc0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b0d648ed-730b-5b1d-8614-ebe8b7880d39", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152443Z", "creation_date": "2026-03-23T11:45:31.152445Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152453Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8c92f5d0513886ce03745e30a704c34a64f3f70cde9d662f0d655143b3086e4f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b0e3e3d5-051f-56b4-87ad-cc07e4efe3ac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144563Z", "creation_date": "2026-03-23T11:45:31.144565Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144570Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "627ef26e42d9c857196d4028d87ca9f7bdb6e6a034a1e157272556840b7e814c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b0e4c212-df36-589d-85de-aba2df9a1aa4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146848Z", "creation_date": "2026-03-23T11:45:31.146850Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146856Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "53b09a961939d2aa82a329634552ad47eb39cbf920454987187bc3bbf29f02da", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b0ec92f6-8d3a-5d6f-93c4-4bfc618f6f69", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146175Z", "creation_date": "2026-03-23T11:45:32.146179Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146187Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "df72cb33a23ae8f6f9dc64bb738fcfaea959368ce05cf399f3c7db5e90104bd7", "comment": "Malicious Kernel Driver (aka 2.sys) [https://www.loldrivers.io/drivers/bb1f80f3-d2fd-463e-9403-57c919bd976b/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b0f50ea9-1782-5ece-8698-046bbf53093d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480209Z", "creation_date": "2026-03-23T11:45:30.480211Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480217Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a369942ce8d4b70ebf664981e12c736ec980dbe5a74585dd826553c4723b1bce", "comment": "Vulnerable Kernel Driver (aka GEDevDrvSYS.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b0f78f32-f498-5dff-bf1f-0b4a0ce0c17d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150286Z", "creation_date": "2026-03-23T11:45:31.150288Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150293Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7bc0fdb1d47f9a657a3af869fe3cbc6895b118875cc448c4406f9a066c9e610e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b0f87ddd-022f-55e1-8b6a-ccb03d2d0266", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160456Z", "creation_date": "2026-03-23T11:45:31.160458Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160464Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "72ca577f73bb6c1c423ca9169850227765f39ae86be8d89d816294b77332079d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b0fb0b76-6396-575d-bed7-47a52216575b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830402Z", "creation_date": "2026-03-23T11:45:30.830405Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830410Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "56749ce01bca38992e4f639991a191463712f04a38ed7e92a737f7077c961392", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b10207c7-11e6-54f0-9782-9542eb82bf27", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143335Z", "creation_date": "2026-03-23T11:45:32.143338Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143343Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "08209cd92723526d56863e89f283750e2ee57c69db37ae501aa889c0c60bb552", "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b1153b67-1bd3-53a6-bf61-fc6fce7d604c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828011Z", "creation_date": "2026-03-23T11:45:30.828013Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828019Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d4093dac36e4568b942aa3d409b6b195b98b66f75221cc89ae750f690c901315", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b11f206e-782c-5b2a-9328-a64c163048b6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618549Z", "creation_date": "2026-03-23T11:45:29.618551Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618556Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dde12d20a00f7987f6e53eeeee3d5667482940f06d012a0003b80f217a105d74", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b1222eac-a528-527a-bcca-132ebc659adb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830125Z", "creation_date": "2026-03-23T11:45:31.830128Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830137Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5964196f057eac00f73caccae0f54d34c79f921f9c53070ad6308f9ac035c8e1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b1273a07-cd22-52c1-9a81-3507acb2159b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147858Z", "creation_date": "2026-03-23T11:45:31.147860Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147865Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e5747e031599aa68a628608e0a074959a8af6b1f9503bf1dc4a317f95667fa1f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b12ac103-c6ab-5a9c-83a4-a7f8e0c492ae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498577Z", "creation_date": "2026-03-23T11:45:31.498580Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498588Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6c51320f954ce1505349fc33e06a5fabcfe3396a9736f79a119199349e99850a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b12b96d9-627f-53b3-ac7e-20a8e13a5bb5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979760Z", "creation_date": "2026-03-23T11:45:29.979762Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979768Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aa833c9e3bcdc33eaf64fd913e80f5b9ce60618f6e3ff4c386420fea4a494380", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b12f89c0-92e1-5b90-aeb4-f1f90d3b7c70", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605559Z", "creation_date": "2026-03-23T11:45:29.605561Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605566Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "28a1e3627deded98e1620b815422ae15f1dd1d4d643b7b92af97412961791a6a", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b137b05b-9361-5a67-9ce5-3503f1a980cb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820142Z", "creation_date": "2026-03-23T11:45:30.820144Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820149Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "047ce557cc7bb580af457c151233b5114de6efbc9bf5e8c919fab453cebe5fa6", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b137bab6-59b2-54b2-b329-f5d07b1b9fc3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485257Z", "creation_date": "2026-03-23T11:45:31.485260Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485270Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f5c412af37fe3f227d6d4288ae4999e14b81fd8a2e6c9705a9d4b025e4652153", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b13e09e5-ff7b-5f77-9484-80c14f927ae4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974987Z", "creation_date": "2026-03-23T11:45:29.974989Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974995Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "03192bacd96989bad4181609295764f61a86d2ec9f7918a90a219e674ae3097f", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b1418c62-fdfb-5179-b107-4a6e52f30ef9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143968Z", "creation_date": "2026-03-23T11:45:31.143970Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143976Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e3c2f47cd5f0ba9e70449ce7339e231be97b45a02ddcf8859018a84064faaeed", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b146bea5-8e10-56eb-bc6c-4950767b5879", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612092Z", "creation_date": "2026-03-23T11:45:29.612094Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612099Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "000e984d3eebc54259a24a17745eed07d9c3658b86462cb5ebc26381302f7a38", "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b14a166f-e52a-5f66-ae5b-255f335ba1d7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488063Z", "creation_date": "2026-03-23T11:45:31.488065Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488070Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c9e677f9f681130a8cfa94ec0ff17120ba647ac6d323912d4eed10223ef9f21f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b14b4e59-bd7f-51b4-9ec6-93d1f6e7b2b6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157187Z", "creation_date": "2026-03-23T11:45:31.157189Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157195Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "49ab087361a9c59829f14b1bc9a49fb0de55649cea0564f6a27c099b4ee7338a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b1585483-b5f7-5c9a-b761-140acbe61751", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614438Z", "creation_date": "2026-03-23T11:45:29.614440Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614445Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2bbe65cbec3bb069e92233924f7ee1f95ffa16173fceb932c34f68d862781250", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b15875cd-ac0f-507c-b1a3-785c4a715445", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828329Z", "creation_date": "2026-03-23T11:45:30.828331Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828336Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1528dc51550159f8e11866fa29b36383f49905bc84bcd0ff07260d35475d0d37", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b15b0f30-b42f-5c06-9aa6-2bc3abfd2f36", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613260Z", "creation_date": "2026-03-23T11:45:29.613262Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613267Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f40435488389b4fb3b945ca21a8325a51e1b5f80f045ab019748d0ec66056a8b", "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b1631c72-c97a-5a87-996c-709053138d1f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150704Z", "creation_date": "2026-03-23T11:45:31.150706Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150711Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "962d1a1d3316212a0f66ce825c4737d41f59c2e0743be36c3e1308f0bb7939a0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b16f0a41-7402-5aa2-9fa3-c4989ea520b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146528Z", "creation_date": "2026-03-23T11:45:32.146530Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146536Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab811ca59a8a8e92fff3eca9d359a8ed5482e781c97e63dbece046d929d0a79c", "comment": "Malicious Kernel Driver (aka driver_ab811ca5.sys) [https://www.loldrivers.io/drivers/09d2e61d-e041-4ec8-ab7b-385848456a36/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b16f5f6f-b1ca-57f6-9eb8-3d6311488e34", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150824Z", "creation_date": "2026-03-23T11:45:31.150826Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150831Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "de4cd4aa2021854e1bca582ec7a51562ab458bfd12a4b2930f85fa53d1e09915", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b173616e-abe7-5e26-ac44-efc7194f46e1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149120Z", "creation_date": "2026-03-23T11:45:31.149123Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149132Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "916ef806f5e08f7e5c882bd4efca3503e5e8131bb32493f8d618959eab054c78", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b191a678-ede1-5633-95a9-6688e61e93a0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605806Z", "creation_date": "2026-03-23T11:45:29.605808Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605815Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bd7c706caa4063ce243d2c4b7e5f32418d1ad3700692ce63618b3911981573d1", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b19c9ceb-6679-515b-a8b8-5ca43e46c102", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606795Z", "creation_date": "2026-03-23T11:45:29.606797Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606803Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d28acafeb6a85294d2672fa894a2934599713aa9ce1b21184dc1ec34131af7bb", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b1a17760-5e85-57fe-82b5-6675cc5d7ed0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493821Z", "creation_date": "2026-03-23T11:45:31.493825Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493834Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f2c74d551604daac486eb93d4513c650842e4d7f34801038ba146d76df7100a8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b1a3ce7e-9e2a-55c6-a75b-8a11998d69bb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829593Z", "creation_date": "2026-03-23T11:45:31.829595Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829600Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "729d3ba336cb62d60a7581db4e98c93f1204563f5a63fc53950f09081a44bb55", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b1ad2ae4-408d-5761-ada2-3058f26d6737", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823719Z", "creation_date": "2026-03-23T11:45:30.823721Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823727Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "de3c01dda0a23c1d12823848e9d79bc5b3fbc349e840dce7659d06bd898ada65", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b1b20f2a-8649-5dda-88ad-ab239298af43", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153989Z", "creation_date": "2026-03-23T11:45:31.153991Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153996Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d3a8e0bd46ef4bf0787a0a4719908d7ac5cae5cafb313dc3b304be18e13b9369", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b1b7dc49-0701-51cd-9cce-2cff73228f8a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455220Z", "creation_date": "2026-03-23T11:45:30.455223Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455231Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7f1772bdf7dd81cb00d30159d19d4eb9160b54d7609b36f781d08ca3afbd29a7", "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b1c6d3f0-1e3b-52b8-a923-8876feea9882", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495456Z", "creation_date": "2026-03-23T11:45:31.495458Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495463Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7d4fdd1092fd1a642f2c23b49e7c42c7c0a5c28849e28ecb58b0242fbf76e8b7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b1cfffdf-163d-5c8f-ac3c-8702d84413a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604224Z", "creation_date": "2026-03-23T11:45:29.604226Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604232Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "55f736e288a101c08b7245ccafe158f5a2e6f0a581f49a87d24e5cbbde8961e1", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b1d5e065-6e1b-5e01-accb-967041eee440", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472693Z", "creation_date": "2026-03-23T11:45:31.472697Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472704Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c880d0eacf7a11fb922b63b7f23e2ad484caba4dc566c2b050470a2880cc1929", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b1e47a45-311c-5f58-8a33-97df3c6a36cb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830150Z", "creation_date": "2026-03-23T11:45:30.830152Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830158Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7b745f6fe075341d69120cb3f54e214d77160c0b344427356487b46a23bf756c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b1f44c28-9df3-5df7-b26b-67c0ee3bb43d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973688Z", "creation_date": "2026-03-23T11:45:29.973690Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973695Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "61befeef14783eb0fed679fca179d2f5c33eb2dcbd40980669ca2ebeb3bf11cf", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b207f879-cc4c-559f-bda8-90faf46eb9ad", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146813Z", "creation_date": "2026-03-23T11:45:31.146815Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146820Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "70c13945095582777449d210c2c7ddd5b95496c0456332c933ad79b5549b0eb1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b20f89a6-74f6-58df-bca5-8e5d0cf1781f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461640Z", "creation_date": "2026-03-23T11:45:30.461643Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461652Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7433f14b40c674c5e87b6210c330d5bcaf2f6f52d632ae29e9b7cf3ca405665b", "comment": "Malicious Kernel Driver (aka mlgbbiicaihflrnh.sys) [https://www.loldrivers.io/drivers/b074dcb5-b278-4434-bdd9-14a055d724f3/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b215d0d9-7b14-5bc7-9cfe-0c6ed7984ab8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817736Z", "creation_date": "2026-03-23T11:45:31.817739Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817747Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "87c3de1b890663f6f8b41cae967520501a9f3fca34a7d2c8014aec819e7bffba", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b218ae30-b391-5b2d-9de3-939a276831e5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618966Z", "creation_date": "2026-03-23T11:45:29.618968Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618973Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "11e3d9aa67ef620a452458f67e101aa513c7fbcca8f35e2e5d0e3403d9dee937", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b219d6ac-1366-54f2-a234-66bf9bb28e49", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.471804Z", "creation_date": "2026-03-23T11:45:31.471808Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.471817Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9c837d13c26b679c5fcbcdc2b40c3179310c81aa671bf1eafd3d800b3f0323f0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b22425ae-fc86-5a5d-9cad-3b9606a36f11", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474291Z", "creation_date": "2026-03-23T11:45:31.474295Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474305Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8ec06754fb3bb2f8ac49a097eba70483640b5c2cc5a7136837fa66bec9e884ca", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b22da231-d8eb-5198-8ef7-9b6dc403ad11", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829734Z", "creation_date": "2026-03-23T11:45:31.829737Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829745Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "235e378dd2ade7be420c6530d55efe088efc17c42dd936045dc9849785aa6f50", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b2337d25-1a28-5e52-9141-1f6b5d3eb660", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984923Z", "creation_date": "2026-03-23T11:45:29.984925Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984930Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "57e9de67e908186b3cb8180caa2e5c5d7b6bb31969557b8bd5710d79089e8868", "comment": "Dangerous Physmem Kernel Driver (aka BS_Def64.Sys) [https://www.loldrivers.io/drivers/4a80da66-f8f1-4af9-ba56-696cfe6c1e10/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b237b64c-e1c3-5bcd-a19f-d424c4435d34", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618824Z", "creation_date": "2026-03-23T11:45:29.618826Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618831Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6694435663bf283a3d5f20e9c90cf1bc4d3687e381b32e1a004a9d24471eb95b", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b23df79f-d77e-560d-a40e-eb11cddf10a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473642Z", "creation_date": "2026-03-23T11:45:31.473646Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473656Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1429bbab0bd067235d06f5857f6976e42587863acd17ca022ab15e97ded5b4fd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b263ba80-da2d-5f98-924a-21c9eaf93681", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150391Z", "creation_date": "2026-03-23T11:45:31.150393Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150398Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cae63e4da0609c13fb1cfa859e5afedd5a8722ffbc764bf47eb276471a928050", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b271a294-a4f8-5b4d-b59d-cea2f3752cff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613083Z", "creation_date": "2026-03-23T11:45:29.613085Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613090Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8f23313adb35782adb0ba97fefbfbb8bbc5fc40ae272e07f6d4629a5305a3fa2", "comment": "ASUS vulnerable UEFI Update Driver (aka AsUpIO64.sys and GVCIDrv64.sys) [https://codeinsecurity.wordpress.com/2016/06/12/asus-uefi-update-driver-physical-memory-readwrite/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b27440a5-a394-5ee0-b335-f973eccacb39", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973705Z", "creation_date": "2026-03-23T11:45:29.973707Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973712Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "62f5e13b2edc00128716cb93e6a9eddffea67ce83d2bb426f18f5be08ead89e0", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b2751049-4219-502c-97be-c6bbc81ccb35", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479704Z", "creation_date": "2026-03-23T11:45:30.479706Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479711Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3482f671cb1b6414e43ab2c9bccc94c1fba67ceac6e9831249f18f31ad68880c", "comment": "Vulnerable Kernel Driver (aka amifldrv64.sys) [https://www.loldrivers.io/drivers/a5eb98bf-2133-46e8-848f-a299ea0ddefa/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b27da2ce-4743-51c9-95b2-c5335c5fc040", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467765Z", "creation_date": "2026-03-23T11:45:30.467768Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467777Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "16b6a65d569ad3d0a1ff5aaf2374c28cebab4a289ffee42b79f7a48d5979b579", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b2891fc8-0b2d-56e1-b347-db736451c2c4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476339Z", "creation_date": "2026-03-23T11:45:31.476343Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476353Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b9c26b3727af0f6ef4ac8cc8648cb4ecc4ad77b02cb0677fcc493b18ca19cdd2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b293d4b8-7b1e-507a-92cf-4143d31fdd16", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830368Z", "creation_date": "2026-03-23T11:45:30.830370Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830375Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8abad96bc2cc4b6388c521671d3c68eed9f88b1e35256f9976974e34a5fe99c5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b29dba2f-df34-50f1-8499-e65d9cc8411b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145642Z", "creation_date": "2026-03-23T11:45:31.145644Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145649Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f7c7bd6b1dee634d5fb234bab0cfe341ff9f2845cddbe59a653366966f603e07", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b2a2c2d4-db7b-5b92-b9ac-3ad17d783db2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488500Z", "creation_date": "2026-03-23T11:45:31.488502Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488507Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "40a0c1cd71d8b3b4eb83fd39125cc93fd4f11ad82a83c5eabc69b4c38c998504", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b2a6d2e4-ddd3-5d5c-bc5e-6f99e8535d90", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824163Z", "creation_date": "2026-03-23T11:45:31.824166Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824174Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "37e5d3bd6a3aeade27febcd905646de65594601ca3650b2b9d79653f4fde73c5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b2a99482-42d5-5f3b-95a6-95fd0b9921b5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826612Z", "creation_date": "2026-03-23T11:45:31.826614Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826619Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "62400cb2654a27de7b71c9515500836ccedc9708a2c6267129552cc94a9ee31a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b2aa9d34-8760-5271-a323-eaa046220692", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142736Z", "creation_date": "2026-03-23T11:45:31.142738Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142743Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "044a6623c9c09992ef540cc1ed340840cd97b60568e7a0fea1b73e317fa5a4c6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b2ace72f-aa44-5bce-afb9-3b505b77b840", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982342Z", "creation_date": "2026-03-23T11:45:29.982344Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982350Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "15fb486b6b8c2a2f1b067f48fba10c2f164638fe5e6cee618fb84463578ecac9", "comment": "Vulnerable Kernel Driver (aka winio64.sys) [https://www.loldrivers.io/drivers/1ff757df-9a40-4f78-a28a-64830440abf7/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b2b79da1-5013-536f-860e-1dd3775b40dc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811975Z", "creation_date": "2026-03-23T11:45:31.811977Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811983Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "33492b6fb772dfccd9ad5de4590d6f4f85b69557444b9391d306fcf737c4379a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b2bd0ba9-736c-52c4-a106-9bdb2aa84e70", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824686Z", "creation_date": "2026-03-23T11:45:30.824689Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824753Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fe78f5401bdf2128cfd8b18aa9f8ca9dae09a26b90570c2a37c4605b98ab271c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b2bd2ea5-4ce1-59f1-80cb-2bb4ab6fd11c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817453Z", "creation_date": "2026-03-23T11:45:30.817455Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817460Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d033f5c0a764aa7ecff779cf7fe13140d7d8eb1645dd212f408ed2fa119e3b47", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b2be11e3-4779-5a9d-ad29-ab8e071b6d82", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831784Z", "creation_date": "2026-03-23T11:45:30.831786Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831792Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b67d3d080d174ec014ca67e715cdbb9d82dbc8cde08722fa33e8727804e9d6bf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b2c4fa1c-93d4-5168-9f01-94df423dca81", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482539Z", "creation_date": "2026-03-23T11:45:31.482542Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482552Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "348c4503691db331aee05d76b0e092eb8cb7c593bcf0d3ee616bc3a3506d1dd2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b2cf9a09-d426-5315-a355-c398012f5cbb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809045Z", "creation_date": "2026-03-23T11:45:31.809047Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809053Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1958544f77fb89a3b7bee11538ee9afc999385bdd3edf9925745ab82c32fcabf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b2d87ec1-472b-550a-999b-663285c7310d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835702Z", "creation_date": "2026-03-23T11:45:30.835704Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835709Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2130c85eb9084ac6847764452ba207ee7d830020f736695307ad1601dacd4f14", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b2d899e1-b603-58db-af00-ac699d1807cb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970401Z", "creation_date": "2026-03-23T11:45:29.970404Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970413Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b2d2a55a8de6f8310081a59e28e35b51f3687762b86f116c30d0ac79e6821239", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b2da8954-f86b-5e1b-baa1-38f1de999333", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809117Z", "creation_date": "2026-03-23T11:45:31.809119Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809125Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "568c6a1caf69392999b7208e31baf08c2090df27e429b594b615b4ffc36c2754", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b2df58be-ea26-5d0a-bfea-b71b5c45bd8a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983963Z", "creation_date": "2026-03-23T11:45:29.983965Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983970Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "453be8f63cc6b116e2049659e081d896491cf1a426e3d5f029f98146a3f44233", "comment": "Vulnerable Kernel Driver (aka LMIinfo.sys) [https://www.loldrivers.io/drivers/a02ee964-a21e-4b08-9c98-a730c90bfd53/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b2e62846-8e34-5c13-97c7-0463638ac223", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472288Z", "creation_date": "2026-03-23T11:45:31.472291Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472300Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "43f3c7c18f1bcacd3459b5ed63eefbcdbb61896bdeecb46fd492ff73556a34e6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b2f0d204-8c6d-5d92-82a6-a2c50177bedd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818523Z", "creation_date": "2026-03-23T11:45:30.818525Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818531Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a188760f1bf36584a2720014ca982252c6bcd824e7619a98580e28be6090dccc", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b2fd89bf-6b34-5a25-b01a-d5dc2a756739", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985181Z", "creation_date": "2026-03-23T11:45:29.985183Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985188Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3384f4a892f7aa72c43280ff682d85c8e3936f37a68d978d307a9461149192de", "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b310293c-865a-5ff5-b5e6-4308a8518fa4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606456Z", "creation_date": "2026-03-23T11:45:29.606458Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606466Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "15484782626c0033d4718fe55370106aaab48fe3cc68695bf7724c5578686531", "comment": "Vulnerable Kernel Driver (aka nt6.sys) [https://www.loldrivers.io/drivers/e71f0866-e317-44d4-a456-d6f0c555aa73/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b31938f0-6927-5af3-aac3-e7255a59faa6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159574Z", "creation_date": "2026-03-23T11:45:31.159577Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159586Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "75d4cf044e7dbccbe2f601a2dd2fa0428a7d129a77847d91d0cbbaae059338fd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b32d8541-3d51-5b28-908f-91c5c4d84fff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494475Z", "creation_date": "2026-03-23T11:45:31.494477Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494482Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4833c38a5ef7256f78e8cd5c6ce5d58795061efbed04de331cc8ff3a2d32dac7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b3342d44-cb03-59bd-b83d-1aab8c2d2911", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820054Z", "creation_date": "2026-03-23T11:45:31.820057Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820065Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7ec63ff447a7aa1fc3fe63378410ae4ba5c673b624d1a272308ce3fed47bd00f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b33c4458-7228-53e2-956a-fdc435f88534", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820436Z", "creation_date": "2026-03-23T11:45:31.820439Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820448Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a66f87966ea5c045dbd41ba4452679c01559f4e2e2fcd8a1c4552aff5be09f46", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b33e6c62-564a-5b5f-8e88-ca9a06c79c75", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821263Z", "creation_date": "2026-03-23T11:45:31.821266Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821274Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "198226366d49b62e0eb464096d64e40ad822f6c7f66f82249f69a17cdbcdb665", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b34738af-593f-536a-95d5-6e3fa11ef2e3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967711Z", "creation_date": "2026-03-23T11:45:29.967713Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967718Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "004c319b601312c834fe86ae7c292621dee80bc47609deba70d8ae7eaf499b72", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b34ea632-95ba-561d-a2f7-3a3b6a78fc06", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493365Z", "creation_date": "2026-03-23T11:45:31.493367Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493372Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f44a9d08cb5f0b9f212269d11899367abf2c6cb8eb3400d1abcacc47c065327e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b35120d1-0066-53d6-b442-70a69d36fabd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150924Z", "creation_date": "2026-03-23T11:45:31.150926Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150931Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bdba77fac50a18117cb65f9b14c9b1ebdf361eb93cc6df75bdb45bd6b0a8e9f5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b35d85a3-22c9-5f84-b2e5-6fc2f03384f9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970428Z", "creation_date": "2026-03-23T11:45:29.970431Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970440Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3b2cd65a4fbdd784a6466e5196bc614c17d1dbaed3fd991d242e3be3e9249da6", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b36029ac-e6e9-53ba-9495-85a7b363205a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490765Z", "creation_date": "2026-03-23T11:45:31.490767Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490772Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9cbc2c3b1d3ff3e8b70534ad2baff4b7266312a9a709f83114c5617bcb10f0d2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b3a88402-ae3a-5203-9618-b68a109f2aa1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487926Z", "creation_date": "2026-03-23T11:45:31.487928Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487933Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "464c021854994a4e3d5461eb3da298d8edab04d16854abff5561ed2f236eb1a3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b3ac668e-cce2-56b3-a97e-c9b3f4834655", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615014Z", "creation_date": "2026-03-23T11:45:29.615016Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615021Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ef86c4e5ee1dbc4f81cd864e8cd2f4a2a85ee4475b9a9ab698a4ae1cc71fbeb0", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b3b1d786-6268-54ae-9c3b-8ff7d994b1fc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812979Z", "creation_date": "2026-03-23T11:45:31.812982Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812991Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b3cca7fc8463525f0562af040ed47b86acdb24d4ea4380af9bd882d3bcc2cff", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b3b9e38e-0dd9-5805-b7a6-dc1f17e0e4b4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980357Z", "creation_date": "2026-03-23T11:45:29.980359Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980366Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8ed0c00920ce76e832701d45117ed00b12e20588cb6fe8039fbccdfef9841047", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b3b9f43f-beea-52ca-8525-b8a3814963e8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821190Z", "creation_date": "2026-03-23T11:45:30.821193Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821202Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8781589c77df2330a0085866a455d3ef64e4771eb574a211849784fdfa765040", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b3bd14e7-55ba-5eeb-8f6f-d28cdf6ceb33", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608387Z", "creation_date": "2026-03-23T11:45:29.608389Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608394Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c088bd8a06904ec62d40f0f1ae9dc5361472a76238a8458090202e057b983945", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b3be3be9-2da7-50c7-88bc-fda3c070fe2f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818082Z", "creation_date": "2026-03-23T11:45:31.818085Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818093Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3485174d70a7be1357dcca39b49ec9a9e841a269de4dbcb30b58207a48e7519a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b3c2267a-1bf8-5cdc-a822-3d50c219fc72", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472154Z", "creation_date": "2026-03-23T11:45:30.472157Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472166Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3301b49b813427fa37a719988fe6446c6f4468dfe15aa246bec8d397f62f6486", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b3c503cb-fb5b-524b-a386-73dce7bfd7e3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147311Z", "creation_date": "2026-03-23T11:45:31.147314Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147320Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5cb7aafa4b6b04009f8febe155ecef8213cc65a1a09cb84c30cf2e458a43e4e9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b3ce25d9-dd31-565b-90ff-bbc1e1212796", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822220Z", "creation_date": "2026-03-23T11:45:31.822222Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822227Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b4b349c3be07ad3e3c05a965ee83c9a7bcff6218784cec0ac16fc124360bb276", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b3d3a493-8af8-5618-a1ba-11bd27fb8340", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457748Z", "creation_date": "2026-03-23T11:45:30.457751Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457759Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6621fb2e761237d2b09863fd31951789697f119d118d2e5db0e957ab0173f06a", "comment": "Vulnerable Kernel Driver (aka capcom2.sys) [https://www.loldrivers.io/drivers/45c42e32-6261-43c1-bdbd-cab58da729d8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b3d8cffe-da3e-5750-ae0a-e446a05cb598", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145972Z", "creation_date": "2026-03-23T11:45:32.145974Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145980Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f4f0357629e12ff599ad2f0179ac0f4eaec35044b7498037c2d91282dff9e592", "comment": "Vulnerable Kernel Driver (aka TSDRVX64.sys) [https://www.loldrivers.io/drivers/424a387e-735e-49d1-99de-f067dcf1c3e9/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b3e20df8-1e92-583a-8fb2-c6b5d0638b86", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149318Z", "creation_date": "2026-03-23T11:45:31.149320Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149326Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd7f1a8914e0da98219283e6ce217c74e55329e3dd97725ee275b6e468db799e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b3e59e92-9713-5db9-a2a9-7c853e36e980", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463811Z", "creation_date": "2026-03-23T11:45:30.463814Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463823Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7662187c236003308a7951c2f49c0768636c492f8935292d02f69e59b01d236d", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b3fbec4c-b570-57ac-9935-92715b33819d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978544Z", "creation_date": "2026-03-23T11:45:29.978546Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978552Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e1d3963c55c7ffa96d16e47ec4bbb4e171f828650ce853eb0b83c90ae9c6265a", "comment": "Vulnerable Kernel Driver (aka AMDPowerProfiler.sys) [https://www.loldrivers.io/drivers/9a4fb66e-9084-4b21-9d76-a7afbe330606/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b3ffc1bb-0dce-558a-8d3b-9067ff7f6b10", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488448Z", "creation_date": "2026-03-23T11:45:31.488450Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488456Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e418608e2f1881ab7a46eb0a5eeae8620f01fbb5f9fd7f77cc58f1856a11e217", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b4058d16-20fe-5339-8e67-6fb9c52b49ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978084Z", "creation_date": "2026-03-23T11:45:29.978086Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978091Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "59177fb7a0b11837368af1cc115f0d011ea19551070bd153795204ae1bd12e52", "comment": "Malicious Kernel Driver (aka ntbios_2.sys) [https://www.loldrivers.io/drivers/33a9c9ae-5ca3-442d-9f0f-2615637c1c57/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b405ebf8-f6b7-57e1-9d26-1d94adfc7b09", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492825Z", "creation_date": "2026-03-23T11:45:31.492828Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492837Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5737c2db59cb518d8044183fcb75b47c7d238c37cb9ba765b05fc4e1ca2b0829", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b41345cf-b173-5227-b281-571a5a7e7307", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827889Z", "creation_date": "2026-03-23T11:45:31.827891Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827897Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "218a7f2c0c645745a0f8b6df1ff52d61febe127cd7a33d7f163dda98d133745f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b4174591-f45d-59c9-8292-78188af15801", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828685Z", "creation_date": "2026-03-23T11:45:30.828687Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828693Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1a3642c31fafc524b24c8ac692913df6ce0548efeca06fb369dc10bb9a95949d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b41e7709-111d-5c2f-81d5-5d5736f616a5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973501Z", "creation_date": "2026-03-23T11:45:29.973503Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973508Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c1251784e6f61525d0082882a969cb8a0c5d5359be22f5a73e3b0cd38b51687", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b431e3fb-ee12-5c58-afd1-0fac1005d337", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473748Z", "creation_date": "2026-03-23T11:45:30.473751Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473760Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7f7c6346a25d465fbc06c41d841e6a5c7645545448db88793ab29d8e5637fae5", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b437c67d-c183-561c-9f08-ec70d8be090c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826350Z", "creation_date": "2026-03-23T11:45:31.826352Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826357Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ed24e54cc6b6954987ba052764ed936ce6cc6644b05ad909b1378142e7c1090d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b44d9faa-4eae-5294-8e2c-3004d0c8609e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142928Z", "creation_date": "2026-03-23T11:45:31.142930Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142935Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aa5badc3f69d4d48396dc76bf4ae78def57fbda2d459d9365db64da6963bb2e4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b476bf47-5860-557e-9669-282d388d7a90", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479437Z", "creation_date": "2026-03-23T11:45:31.479442Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479453Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8a96d43d06fe7e9ddaf6206965b66611d24bb77341a9f0ec29ae9914bf486e8d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b48976aa-b9f2-5c04-ba88-d780c7e7ddd4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479618Z", "creation_date": "2026-03-23T11:45:30.479620Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479626Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bed4285d0f8d18f17ddaa53a98a475c87c04c4d167499e24c770da788e5d45f4", "comment": "Malicious Kernel Driver (aka be6318413160e589080df02bb3ca6e6a.sys) [https://www.loldrivers.io/drivers/a9ab4412-d484-459b-be97-5975f5ab8094/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b4b64ef1-69c0-5715-b9ee-dab23b1ae135", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973287Z", "creation_date": "2026-03-23T11:45:29.973289Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973294Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "262268f21c789c2bdaf1950b556456a9a5114ed5759d806200b0cec107bf76d7", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b4b6f415-60cd-5915-9949-b839668e1aeb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967494Z", "creation_date": "2026-03-23T11:45:29.967496Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967502Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cb8e536680732b474a5c26970ace2087667622caa3dd82c1c56731a7c5a1c8ce", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b4c5a55a-a4c8-5d40-8630-7540768cbf1b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150721Z", "creation_date": "2026-03-23T11:45:31.150723Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150729Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e0dd599393c689718f83fc63b98cf42bc62ea27cbd5c9993e845019464e9cc20", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b4d7d834-ba5b-56b4-886b-2891dbb37384", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810219Z", "creation_date": "2026-03-23T11:45:31.810221Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810226Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cf3a7dee3a5dcbc237cc2015a0e23a97306f914e502e98d9fcb45af3ddbdef64", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b4de0662-096d-59f6-a3c2-1035309217ae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459300Z", "creation_date": "2026-03-23T11:45:30.459303Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459312Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9dbc2a37f53507296cc912e7d354dab4e55541ba821561aa84f74d1bd8346be2", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b4fe044a-e17d-514e-a60b-908a72a16f8e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621938Z", "creation_date": "2026-03-23T11:45:29.621947Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621956Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "54231728c29f2d2003ec575729760369bb72be7b656b52b4f02ec198f4ee4dfd", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b504f00d-92f0-5356-9d5b-a684baec31ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832242Z", "creation_date": "2026-03-23T11:45:30.832245Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832250Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "78cb9665367af9bb8e1c49ce7c64fc56f2c9580c4781a2d09bbceaa23f9f130b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b5244573-846b-5ca5-ad22-5ab9340253bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495653Z", "creation_date": "2026-03-23T11:45:31.495655Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495661Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "034eb20c8e0409eee548de31e50388ade722fcb2137314d0bbee8e5d5cb0339e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b52d12a0-e5f8-5a1b-99ca-cb2a154bfa94", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463013Z", "creation_date": "2026-03-23T11:45:30.463016Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463025Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "94ba4bcbdb55d6faf9f33642d0072109510f5c57e8c963d1a3eb4f9111f30112", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b538652b-7c06-56b3-b096-4a34dc9678c5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817933Z", "creation_date": "2026-03-23T11:45:30.817935Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817941Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "70afdc0e11db840d5367afe53c35d9642c1cf616c7832ab283781d085988e505", "comment": "Vulnerable Kernel Driver (aka stdcdrvws64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b54b7cd4-1b8a-52ae-ac14-fde3a4e528dc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980855Z", "creation_date": "2026-03-23T11:45:29.980857Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980862Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a0e583bd88eb198558442f69a8bbfc96f4c5c297befea295138cfd2070f745c5", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b54f9446-26de-56b2-bafb-b8577d4be1ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151038Z", "creation_date": "2026-03-23T11:45:31.151040Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151045Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f56ccd1a839000a76a839ed9f03ff5778951890eb1fe13c5fcdb2540ed558ae3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b55286d1-6392-5956-921a-2091f976c8a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980447Z", "creation_date": "2026-03-23T11:45:29.980449Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980454Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0b547368c03e0a584ae3c5e62af3728426c68b316a15f3290316844d193ad182", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b553a1f9-0ece-5f38-ab3d-d3e8e62fe043", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155014Z", "creation_date": "2026-03-23T11:45:31.155016Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155021Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "29a19128fb0894e5f0f70e24b651007d33a51d430b1ff8ee77cdcb17b925ce95", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b5612782-d39b-59c1-98bb-ba9bb525c065", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828988Z", "creation_date": "2026-03-23T11:45:31.828991Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828998Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7e753d1cc0ee358578b604144b918f287f1127da9cebfdbf167ee649d7534fda", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b5690161-c80f-5802-a8df-247f29f8a9d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143416Z", "creation_date": "2026-03-23T11:45:31.143418Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143423Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1a81d5126c51d64cd3f6ead91efa079fc877d6cad2e69de1c37fc1be29984d50", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b586c611-c482-5ed5-bb27-8cf326ac17eb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614351Z", "creation_date": "2026-03-23T11:45:29.614352Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614358Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "09bedbf7a41e0f8dabe4f41d331db58373ce15b2e9204540873a1884f38bdde1", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b58b3377-972a-5d0e-a5f1-d9aae599ce4d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142471Z", "creation_date": "2026-03-23T11:45:31.142473Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142478Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c8c33ee4f007208b5a6f34dedd5a61d90fa27fb56c4ccba0e5a83702482106f4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b5935923-4698-519f-9c0d-715cd2c990c2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465624Z", "creation_date": "2026-03-23T11:45:30.465628Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465637Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a74e8f94d2c140646a8bb12e3e322c49a97bd1b8a2e4327863d3623f43d65c66", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b59d9749-418e-5fa6-ab42-49a6bde2554b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473884Z", "creation_date": "2026-03-23T11:45:30.473887Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473896Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f94c8dee30d8d349d0b51b9f1624c49ef8b6b8d54d40ecf09af95011d01b705f", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b59de7dd-7c9e-56f3-b1be-f37f12b1ecef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811608Z", "creation_date": "2026-03-23T11:45:31.811611Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811617Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "617d5e50ebacff362232217b44ad1be06158214aa14cc46b60581acb530989fe", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b5aa5e91-bd6a-5214-a4ee-fc79c2d4a532", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821156Z", "creation_date": "2026-03-23T11:45:31.821159Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821167Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "955887adbe6565cedb6cd793db36c5a4083e12faf5883a310e43cce8c8b2fd9e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b5b65bb7-fb1c-57ba-8177-cb13efb976b0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618271Z", "creation_date": "2026-03-23T11:45:29.618273Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618278Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c11305fc8da85568b2d41cdf030ce260815fea848af91dc0e01076d461bab919", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b5d949d9-8be7-5dc1-8dd3-d18f5b5368dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808921Z", "creation_date": "2026-03-23T11:45:31.808923Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808928Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dec61fd459bc6d34645518d47257b636ffd5ae7d1dd50452ab53afa0d9d51006", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b5e3ab8e-adeb-51ff-9ec8-56c2765211e3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829646Z", "creation_date": "2026-03-23T11:45:31.829648Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829653Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c175dfa16b4f37e3cfde8ee8da821ad5fc5b95f03da51996abef2ba7223c4c11", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b5efb753-7906-5b95-8b8b-ed16a063c0bb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810029Z", "creation_date": "2026-03-23T11:45:31.810031Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810036Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea9a74b066bc5aac4377a438217f40509c43e2f0318553ad1fb248c6dfed9fe9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b5f09107-7046-593e-9d26-cce0e4275603", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466128Z", "creation_date": "2026-03-23T11:45:30.466132Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466141Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5295080de37d4838e15dec4e3682545033d479d3d9ac28d74747c086559fb968", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b5f1064e-988b-57c5-9df4-214c755aba76", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461268Z", "creation_date": "2026-03-23T11:45:30.461271Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461280Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "965d4f981b54669a96c5ab02d09bf0a9850d13862425b8981f1a9271350f28bb", "comment": "Vulnerable Kernel Driver (aka sfdrvx64.sys) [https://www.loldrivers.io/drivers/5a03dc5a-115d-4d6f-b5b5-685f4c014a69/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b61be673-4722-5513-a715-1252eb5a9aef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149260Z", "creation_date": "2026-03-23T11:45:31.149263Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149272Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1cc45bb77bf76a530d653340ab53548c4c3353be1088c1ded3b26fdb7e324c7b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b6260e6d-05f4-52e6-a5f7-af363befb4df", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826831Z", "creation_date": "2026-03-23T11:45:31.826833Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826838Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "684ff3390c3e0ab64e278e86f12aa11751e2f7e25e61aecb8e47b0560be5a713", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b657a637-7188-5632-8106-a82614b1bceb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156552Z", "creation_date": "2026-03-23T11:45:31.156554Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156559Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "182fe67f10ccaf1511093d66f02d554ec14b3e35f0e9f99b40d1b6cdf6bc3774", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b68d2caf-1c49-5327-8332-a6b3db88698b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616968Z", "creation_date": "2026-03-23T11:45:29.616970Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616976Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "df4566edea7c02e29d7dc56ff3f7da6c1ef846e1063b2805a5180bb0d6db37e8", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b68ec021-7351-5ee4-908e-a1dc72390547", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146385Z", "creation_date": "2026-03-23T11:45:31.146386Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146392Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "687af130c03ad59fb35b28447dc7ba5c2cda36969d31bf38bf3ebe676ede48ae", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b691a5ca-8282-503f-9990-cfbf2974187d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825307Z", "creation_date": "2026-03-23T11:45:31.825310Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825318Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e6955b73194b48410331b0518e68dec23d8a40107dd72209b9097ae9a361f13d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b6949fef-552c-55c6-b14c-61c8e6e050df", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622419Z", "creation_date": "2026-03-23T11:45:29.622421Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622427Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "38b3eb8c86201d26353aab625cea672e60c2f66ce6f5e5eda673e8c3478bf305", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b694df8b-c982-5db3-a254-68d595fec621", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814547Z", "creation_date": "2026-03-23T11:45:31.814550Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814560Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9f1628f379703dcf5a0711782af2a2dd895b1a57cacfd3e29f013fb074dc4174", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b6984ab0-6362-59b4-b954-1b8544ebf91f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826389Z", "creation_date": "2026-03-23T11:45:30.826391Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826397Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4144c5acae0a44ca3b2abbb9346bd17621bcdaaf66107ab5f4059d594b645bd1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b69e3285-6453-5b93-bdc5-e4f328ee3d36", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457564Z", "creation_date": "2026-03-23T11:45:30.457567Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457576Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aff3f4d25b85b6b3147d2b7f586edc3e9aa2ec25c37d5dc7ad809d99677497ea", "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b69f342a-feab-5c85-ac01-b28254e4512a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612037Z", "creation_date": "2026-03-23T11:45:29.612039Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612045Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "475e5016c9c0f5a127896f9179a1b1577a67b357f399ab5a1e68aab07134729a", "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b6a1f8a5-1ca6-5739-a64e-b10b8a1a8762", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481468Z", "creation_date": "2026-03-23T11:45:30.481472Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481480Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a66b4420fa1df81a517e2bbea1a414b57721c67a4aa1df1967894f77e81d036e", "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b6ae8e70-0b6b-5dbc-ad9b-0dd6cfcb4d1f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487378Z", "creation_date": "2026-03-23T11:45:31.487380Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487386Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "12428d69268adc7d6bf9c1e74b3e799cabe8319bffb47729385205b17c43a40b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b6b12588-2faf-5dfa-a97d-0f8f31256ee2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977072Z", "creation_date": "2026-03-23T11:45:29.977074Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977079Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f744abb99c97d98e4cd08072a897107829d6d8481aee96c22443f626d00f4145", "comment": "HP Hardware Diagnostic's EtdSupp vulnerable driver (aka etdsupp.sys) [https://github.com/alfarom256/HPHardwareDiagnostics-PoC] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b6b6d27f-e0de-5bc8-adde-76f77f6928bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612232Z", "creation_date": "2026-03-23T11:45:29.612234Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612239Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7bfa54943180e34aea390a8f63a2cb007cf53c336dff697c60a79103f3c0c19d", "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b6c3acaf-dcbe-5582-9714-e38769d84f4b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604482Z", "creation_date": "2026-03-23T11:45:29.604484Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604489Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b4f59236a9b950bcd5191b35d19125f60cfb9e1a1e1aa2e4f914b6745dde9df", "comment": "Vulnerable Kernel Driver (aka STProcessMonitor.sys) [https://github.com/ANYLNK/STProcessMonitorBYOVD/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b6cc106e-0e47-5024-8c3b-3d5e8df07ad2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811561Z", "creation_date": "2026-03-23T11:45:31.811563Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811568Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d27b53a93330abe2ba2fd0c93a1caa1a55e79cb8ece3eb0b38653712ef82272f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b6eaf652-d31f-528f-ad0a-5d2dac9af4f1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152986Z", "creation_date": "2026-03-23T11:45:31.152990Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152998Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9253b82646dd6767c9bbbdcf036643b83d6e3ac046b869604b300c342636af27", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b6fd03d8-d637-5f1a-bb3e-6e94129a6169", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826479Z", "creation_date": "2026-03-23T11:45:30.826481Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826486Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6e452b924f08462338446dd707dd56a8b1da279ca503006bc981884206d7c5fb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b7002c98-6ee6-5a56-8e54-2367ff063bbf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473475Z", "creation_date": "2026-03-23T11:45:31.473479Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473489Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4afbf265692579b3b771883308cd632f722feb86ee5fb9689eb7120f4749e221", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b705e0f9-0f2f-5294-90a0-52c6b8dbdd26", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812320Z", "creation_date": "2026-03-23T11:45:31.812324Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812334Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c81ac49bf30708098f785a712fd922f72284c1c44922afaebbe42f4e8f1de6cf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b706e6ad-8f93-50af-98ce-d80686847612", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810955Z", "creation_date": "2026-03-23T11:45:31.810957Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810962Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "57e7fee32f356edbbe3911f708f3a578fd28895597cf661d76fb5ea8500cee52", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b7134e9b-239d-52c4-acf1-c2bcc9dd5fd0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481804Z", "creation_date": "2026-03-23T11:45:30.481806Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481812Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7c8ad57b3a224fdc2aac9dd2d7c3624f1fcd3542d4db804de25a90155657e2cc", "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b72374d9-a834-5185-a05a-61f85f435328", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622280Z", "creation_date": "2026-03-23T11:45:29.622282Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622287Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9778136d2441439dc470861d15d96fa21dc9f16225232cd05b76791a5e0fde6f", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b727055a-75af-578d-b473-974c5fd00335", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819016Z", "creation_date": "2026-03-23T11:45:31.819020Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819028Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a984513c456cb68749afba1fe16be4b2e10b0f30761e95165f1217bdfbe682b5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b72ae010-2ad2-5735-b348-b95ec3ed4bab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605249Z", "creation_date": "2026-03-23T11:45:29.605251Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605256Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "29f611e5189e8a1b1c8e5534bdafa617f679097a54dd4f91af3dc8922e668e04", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b72eaff8-1c6f-5c90-9338-f97017d4669a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608155Z", "creation_date": "2026-03-23T11:45:29.608157Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608162Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3026a7202354b9b1300215cf0288f34ffb99098a0a2fcd96fbad0987182a99cf", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b734d229-477c-5c29-ace9-bd065d675680", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142109Z", "creation_date": "2026-03-23T11:45:31.142111Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142117Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "50f528b63af1ffa45d6a7f0a60b4170de2785575cc58b79c28831699b346462a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b7470c30-eb55-5e04-8e2a-576b4a8fce1e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970755Z", "creation_date": "2026-03-23T11:45:29.970758Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970766Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4297641b1127248815ceb5e06dc0f6c5121e73f2fa91fe573a7c6f8dac66745e", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b7492c3f-b3da-5565-8f9b-0e77dc96b321", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985648Z", "creation_date": "2026-03-23T11:45:29.985650Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985656Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1485c0ed3e875cbdfc6786a5bd26d18ea9d31727deb8df290a1c00c780419a4e", "comment": "Malicious Kernel Driver related to WINTAPIX (aka WinTapix.sys and SRVNET2.SYS) [https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b74b620f-f7ab-5f2b-8b07-26b3091444c1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810847Z", "creation_date": "2026-03-23T11:45:31.810849Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810854Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "36e590d5d123f8bfd652fb6cdafcde6634d7c139a7ccf51b0ee1f5fda41b3abb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b752a679-23c1-575c-af19-d467679e6e54", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145129Z", "creation_date": "2026-03-23T11:45:31.145131Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145137Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c1154d885751e694cff686db2d65497d113e607eef765e555076a4462b54b636", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b7589b6b-f256-5e5a-8334-6db2c20276b8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611218Z", "creation_date": "2026-03-23T11:45:29.611220Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611225Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d4e93f592a8342b0eb582d24a114348ce40ecb3c1e7b238d731b02e17d5aae7d", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b7604fc2-c79f-52d0-abd9-203185cf065e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154299Z", "creation_date": "2026-03-23T11:45:31.154300Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154306Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "967b7ba007fa14fb9309de521189c7fb5dc2215b958c2fd905605106278d7600", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b76e3d53-45aa-5d77-ace5-24b299698aa2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.158800Z", "creation_date": "2026-03-23T11:45:31.158803Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.158809Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4479cf843b70d11708e9763ec7e49d228fbd16205955306f5400f5af1558a2ec", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b7724d1e-7256-5a18-a40e-fd790edf2181", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983140Z", "creation_date": "2026-03-23T11:45:29.983142Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983147Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530", "comment": "Malicious Kernel Driver (aka daxin_blank.sys) [https://www.loldrivers.io/drivers/7e80423f-8b30-4ee2-b904-9f5421826a8c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b7859ea6-fad4-503d-812f-41295bc7890a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973585Z", "creation_date": "2026-03-23T11:45:29.973587Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973593Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3fa6379951f08ed3cb87eeba9cf0c5f5e1d0317dcfcf003b810df9d795eeb73e", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b78b6ac2-b396-5a67-b46e-66cca85a2b3b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827543Z", "creation_date": "2026-03-23T11:45:30.827545Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827551Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ece9cb2d25fa5c96818f0cf91d82aba6d6d2f861cc0c44e5ad32cd5b4f57fd3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b78cb50f-875e-50ed-aa71-b9d7d0936006", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972612Z", "creation_date": "2026-03-23T11:45:29.972614Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972619Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e4eca7db365929ff7c5c785e2eab04ef8ec67ea9edcf7392f2b74eccd9449148", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b79bd2bd-4b72-5bdb-98f0-3f2f386feb63", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830239Z", "creation_date": "2026-03-23T11:45:31.830241Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830247Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ecb07e72d6937ab5cee4a7b8176351cbdefa3e0b230a5973b8fc6c2f2c02f30d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b7a1d707-6781-57b0-a7e3-cc26171c62e6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826578Z", "creation_date": "2026-03-23T11:45:31.826580Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826585Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "090b6145fa96cb218f77f8c03c0c17f0f3d579f234761781ca6d6cb2122959c6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b7ad808c-fe08-5b42-af00-f1ecdfb49ff9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148740Z", "creation_date": "2026-03-23T11:45:31.148742Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148747Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "870646a801f2e60c1d7bc2fcc305ad8511c9eabdc10828fcdd36b111e51a6f03", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b7add52e-ac7c-5569-95dd-8287c619b80a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818709Z", "creation_date": "2026-03-23T11:45:31.818712Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818721Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "02fd2579e9c55b80c7c86b9f7a9034ec8fd80824e7228840d1f29aa47a739014", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b7b46e24-f9df-59d4-9deb-5a6548d2592a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833782Z", "creation_date": "2026-03-23T11:45:30.833785Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833794Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d1d818a5f3f44aa2a125059f27419313e91d5e33be5060cc5b0f79e740625a4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b7cd6835-dfc5-509c-8f7e-00f1adccf277", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608317Z", "creation_date": "2026-03-23T11:45:29.608319Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608324Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a22d5d42dd0cdae016b536799ab9c384c23b42f5662f0b115b3b85ccb9e23242", "comment": "Malicious Kernel Driver (aka hlpdrv.sys) [https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b7cdf172-00a3-5086-bb4e-a74eeb58b40a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828919Z", "creation_date": "2026-03-23T11:45:31.828921Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828926Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c05e168fc2806a4883713813487fc501462ee69e28ecfc76b8044b9d057f204", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b7cf1804-f8a1-52bd-915b-ec0b61179d3d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500038Z", "creation_date": "2026-03-23T11:45:31.500041Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500049Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d2c9f7ececbafd9936ad4d72f6d1cfd333f9cf7c9320e8383a6d18dfd40892ed", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b7dd8c09-7318-5d98-b03f-b34d4475d3bc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825596Z", "creation_date": "2026-03-23T11:45:30.825598Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825604Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd4702f963b6c4fa7884c87e8924f9062e608216a299e5acbaa7421f2287711b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b7e9da62-716d-5ce7-b165-a0999f0e2881", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823865Z", "creation_date": "2026-03-23T11:45:30.823867Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823889Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "347acba74fdcbeac671521739f8a34ec0e378caf716c31f55616f9f843e4d0d3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b7f1376b-3360-5169-8897-7f17e8eb3f47", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500091Z", "creation_date": "2026-03-23T11:45:31.500094Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500102Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3114d18c1b9f7b04688b779d26c24ad199ed06ab41a9704dcdd723c1de370115", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b7f2b9f8-be09-5b45-84bf-e2a256108fac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615502Z", "creation_date": "2026-03-23T11:45:29.615504Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615509Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e951858d5317724c015eef07d402e8bcb33cf1a7c2ccf7a75cea63e3430d16a2", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b7f561d9-eb74-5ec2-b211-6867ba400773", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489179Z", "creation_date": "2026-03-23T11:45:31.489181Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489186Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47e5bc2ff855dd341963b37f07d51c701f188a5f8ce09e67dfc6fa11cfb5e01f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b7fd577a-7f46-5699-b917-f93653032cc4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467326Z", "creation_date": "2026-03-23T11:45:30.467330Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467339Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f2d3101ef507e6d9ae5475d8fd9b1ca6d2548fe0454c25389d6981f1b33f88f7", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b80d1e6d-32be-53a9-a13b-0f98ae3b18bb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967967Z", "creation_date": "2026-03-23T11:45:29.967969Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967975Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0988d366572a57b3015d875b60704517d05115580678e8f2e126f771eda28f7b", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b80f62f7-adde-5c34-bfef-112b524175cc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497559Z", "creation_date": "2026-03-23T11:45:31.497562Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497568Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b026fbaa7607d48e26f291e514de72700c84fde7f4f417123525407707a155f7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b81d601b-185b-5e90-9cac-f96693cbc52f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472052Z", "creation_date": "2026-03-23T11:45:31.472055Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472063Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "06a39013cc3c9485537d7e8bbfab5fecd7046372e38bcf921182994883951198", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b8235725-f2c4-5330-9ef6-2c3bdca7e808", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145451Z", "creation_date": "2026-03-23T11:45:32.145453Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145459Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ebe86f9f6c9c6639f3327f210c2a945bbbf069f505b1b85e3aee8d1cddf702f9", "comment": "Malicious Kernel Driver (aka driver_206006a1.sys) [https://www.loldrivers.io/drivers/9e0a1bae-6509-41fd-a5bf-dfe6cf388682/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b83eef7a-8f92-53d0-aad1-f7785ff427a0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825725Z", "creation_date": "2026-03-23T11:45:30.825728Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825733Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "da08b5a88175b58d0f7fcefeb0eef3efe8ae12e6c04c6f60e88cc4e860e2c277", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b8577b45-ccd7-59f8-817e-29c753804b74", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152418Z", "creation_date": "2026-03-23T11:45:31.152421Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152429Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae97c26f8724639a6b4e7644625a82c6b548d048b0a89c8f8bb6c62f7d7fe84b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b85bc58f-034a-5ecc-96af-c16494b0ee29", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824845Z", "creation_date": "2026-03-23T11:45:31.824849Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824859Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "579ba5f388f4339330735b738f56641c074d5ebeafcce468a578b4cc1517b38b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b8774bcf-44e2-57fc-9191-e7381e474f73", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614902Z", "creation_date": "2026-03-23T11:45:29.614906Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614912Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cf4b5fa853ce809f1924df3a3ae3c4e191878c4ea5248d8785dc7e51807a512b", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b88098fd-f140-5aca-aade-096954713ea8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456132Z", "creation_date": "2026-03-23T11:45:30.456135Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456144Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "274340f7185a0cc047d82ecfb2cce5bd18764ee558b5227894565c2f9fe9f6ab", "comment": "Vulnerable Kernel Driver (aka fd3b7234419fafc9bdd533f48896ed73_b816c5cd.sys) [https://www.loldrivers.io/drivers/c7f76931-e24c-4d94-9e1f-5a083da581b4/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b8855b70-3f0c-5a37-881d-fb631a667460", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482825Z", "creation_date": "2026-03-23T11:45:31.482829Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482838Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd9ff740c73b48deb5dde01edb84e4961aff64152fcc405edff5497b4cac2418", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b88c08be-f404-58a2-9249-cf9c85dae775", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980306Z", "creation_date": "2026-03-23T11:45:29.980308Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980313Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9724488ca2ba4c787640c49131f4d1daae5bd47d6b2e7e5f9e8918b1d6f655be", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b893c1a0-6640-5220-a74b-6ec21d9dc4e9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.147113Z", "creation_date": "2026-03-23T11:45:32.147115Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.147121Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bcc5394705e552d0312592c507b71a6bd921782f82bb5b4acc721d2f056030a5", "comment": "Vulnerable Kernel Driver (aka LnvMSRIO.sys) [https://blog.quarkslab.com/exploiting-lenovo-driver-cve-2025-8061.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b8babd50-004a-5bea-af55-061dd1922a6f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453884Z", "creation_date": "2026-03-23T11:45:30.453887Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453896Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e1a6c1e23108ede9167ffdf9ebc6af64a011bdafc57d25f84afab6c021ae7741", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b8c10f77-8c2a-500e-9efb-80e9445aec96", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615048Z", "creation_date": "2026-03-23T11:45:29.615050Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615055Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fd8669794c67b396c12fc5f08e9c004fdf851a82faf302846878173e4fbecb03", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b8d1d6bb-3817-5fd9-a720-fa8e09eb6cdd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826384Z", "creation_date": "2026-03-23T11:45:31.826386Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826391Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "749216268b2e85c3528db4be76eda878d8c6c3605c57fa2c7a5acd11074deb71", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b8d3d4a7-028b-5769-9c6b-3cfe2dff7a5a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811363Z", "creation_date": "2026-03-23T11:45:31.811365Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811371Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b91d3fb5e9bfafa19547e604113f506f1d4ad1d108157fbbef81a82708e8d6d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b8d82f74-d647-5a8b-8c89-c27e09f96f12", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493597Z", "creation_date": "2026-03-23T11:45:31.493600Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493609Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "88010b12941fee7b9f24cc6a57f990826bed907073ff55ca0f325a1aa2c23a0b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b8f1634e-2502-5dae-aac9-22e2a4371d91", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493087Z", "creation_date": "2026-03-23T11:45:31.493090Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493099Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "101b95e50f005d464c583d826574639ae8f1d03fa2cc83345ae2b8b53f93a772", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b8f6de7d-77c9-5a2a-8966-3fd8b03ee0a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616185Z", "creation_date": "2026-03-23T11:45:29.616187Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616193Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "63041a13d1658e22fecc34706e98ab08b54b94e7d028bf2b1308ff85995a01c3", "comment": "Phoenix Tech. vulnerable BIOS update tool (aka PhlashNT.sys and WinFlash64.sys) [https://www.loldrivers.io/drivers/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b8f98719-b497-5bbf-9a93-1d0e9679f5de", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476242Z", "creation_date": "2026-03-23T11:45:30.476245Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476256Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d1c78c8ba70368e96515fb0596598938a8f9efa8f9f5d9e068ee008f03020fee", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b8ff4ac5-46ca-5ad3-993a-f94b148ac0c3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614631Z", "creation_date": "2026-03-23T11:45:29.614633Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614638Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6f1ff29e2e710f6d064dc74e8e011331d807c32cc2a622cbe507fd4b4d43f8f4", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b9041cd3-6bef-5804-8faf-c6883393024e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833865Z", "creation_date": "2026-03-23T11:45:30.833885Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833894Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5f784d2666fac241c31cec0cc285d228662d509ec75678565d4a63d5a4712c7b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b91f3844-6497-5ebf-a091-3ab60f51c63b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818006Z", "creation_date": "2026-03-23T11:45:31.818009Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818016Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5adfedbb426cac12472d6122217cc34b32c1272870087132e6d3cc286a357e13", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b92ef931-edc5-5b78-a11b-07098fb08583", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824611Z", "creation_date": "2026-03-23T11:45:30.824614Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824622Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "384f2761d6f92727598e6b0ba36dbe2187b4798631302dbf5f0692bd52383b98", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b93198b3-99db-50f5-ad34-eee3fdc33f5c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822344Z", "creation_date": "2026-03-23T11:45:31.822346Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822351Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c881a4023af4368404f13117cc068690f718c73077c2560846924b241814ef81", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b932b1fb-b062-5a92-8e1d-90008cd17b12", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141042Z", "creation_date": "2026-03-23T11:45:31.141044Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141049Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "50eaae094acb573f290dbee057df37b308d0e1405b56ff33c69beee9e5913a17", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b9369005-bb9d-5009-a8c6-e1607d617f68", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472721Z", "creation_date": "2026-03-23T11:45:31.472724Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472733Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e5e76fd04dc733abf48dff452b3be8cf09a1ad2ec54333f75386431566dce502", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b93793db-e229-50aa-a424-30e40d450bc1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605138Z", "creation_date": "2026-03-23T11:45:29.605140Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605146Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e9c121b6d68ce8ea989142ac98bd63e055b1fc9b720713e735569552503e362a", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b938dd8e-1d52-5993-aab3-ac8a52e60430", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617538Z", "creation_date": "2026-03-23T11:45:29.617540Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617545Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "94111de210f6b3b48dda16b3422f0f9180e30bcb5765b6858c451d1d89196199", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b9556a25-65a4-5e32-9664-87f40587b349", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829272Z", "creation_date": "2026-03-23T11:45:30.829274Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829280Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f9d6b6784b5616ea4ed45d1910502919676e93a7c0af895c879adff580cec18d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b967fb15-74a6-5e0a-a7cb-78fc5e6f5f12", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144777Z", "creation_date": "2026-03-23T11:45:31.144779Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144828Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "137f68f02f7ce1c085474d0a61ee460ea597db6420c5930bd6dba282f329bf20", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b968cbd6-cf44-5bc0-915c-18bc6ab5e700", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477192Z", "creation_date": "2026-03-23T11:45:31.477196Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477206Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b96438e685eff2d464e63035f5a6bd7f5a04bdcb9ad29d75d5143b79d1a94835", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b96f6d3b-d4ca-544b-b693-66ce8d4aebab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499377Z", "creation_date": "2026-03-23T11:45:31.499408Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499416Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "420bece9efaa2836e412bc552d46c18a47f5623a1cefad4e58f6d33e09d29683", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b97ce09c-5bf2-5b51-bb07-97cb9a8b572b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822185Z", "creation_date": "2026-03-23T11:45:31.822187Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822192Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ca7a7790afb16b7ef72beb8c8f1b2d362db9b7c380d1fdc5117d8824db354020", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b9818383-2a23-5ed9-bc1a-cfb36b904f1f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975042Z", "creation_date": "2026-03-23T11:45:29.975044Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975049Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7e81beae78e1ddbf6c150e15667e1f18783f9b0ab7fbe52c7ab63e754135948d", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b9829f42-4c39-59f1-a3db-8b2075615189", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143816Z", "creation_date": "2026-03-23T11:45:32.143818Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143824Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2759e2290295a81e80ef5d8e95266aa08d67832c0af51267ad1100b89d8b890c", "comment": "Vulnerable Kernel Driver (aka ACE-BASE.sys) [https://www.loldrivers.io/drivers/ff77b58d-e143-4f61-92de-c0d9bc0af7d5/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b992a289-6657-5591-9dd2-deedf1746e4b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148451Z", "creation_date": "2026-03-23T11:45:31.148453Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148458Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "76ad8523b85c431b00e8025d7513a0a7058ec1fad1eda456b857087029a3119f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b9979068-f152-5381-893b-283151f7aaa1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148590Z", "creation_date": "2026-03-23T11:45:31.148592Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148598Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7b377a73f5b7ac58897de2ee6108a2fb0401af9ad584a33902a9fcff40f5066e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b997cf40-f107-57ce-954e-2495517b4655", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984511Z", "creation_date": "2026-03-23T11:45:29.984513Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984519Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "68b8f7154ad202145cf51ed2a8e21268af75efafff36db254e6943e154bd915a", "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b9a16e45-27cf-5725-bef5-42be4d291509", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618097Z", "creation_date": "2026-03-23T11:45:29.618099Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618104Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5cc6b647174c8efa0a81ec1d3cb0464c8a567456571d0939fb2e76c6850bf7cb", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b9b12495-17ae-558d-881e-380ecb88e74f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471569Z", "creation_date": "2026-03-23T11:45:30.471572Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471581Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "41765151df57125286b398cc107ff8007972f4653527f876d133dac1548865d6", "comment": "Vulnerable Kernel Driver (aka AsIO.sys) [https://www.loldrivers.io/drivers/bd7e78db-6fd0-4694-ac38-dbf5480b60b9/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b9bd24c9-ab07-500d-9dd7-e0a03fd7dc18", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.478744Z", "creation_date": "2026-03-23T11:45:31.478747Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.478756Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2c27561b68e478bab9a1f391060c479ea67d6a23bf4531029c6bc94a4f9c5ff0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b9d044a7-5b8a-5000-ba3c-29ec41ab46df", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808128Z", "creation_date": "2026-03-23T11:45:31.808132Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808140Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6550963f98cc27366813fba3bcd61feb1f830a5e502384073ff6fad28158c97b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b9d69e9f-edbd-5ef7-a305-9469b9c3e83c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812598Z", "creation_date": "2026-03-23T11:45:31.812600Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812606Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1075c8bdd4decafad2f1614ef5f9d60e4fc41a5c82510f5631484e6db222b49e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b9dfecd7-5ed1-5725-9c40-6c7365cdba9c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.142830Z", "creation_date": "2026-03-23T11:45:32.142833Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.142839Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e8bdfab9d5b5c37f6f23ddf9dddba2feb74261b61a80dee0c6aebffbf39948fb", "comment": "Vulnerable ITM SYSTEM File Filter Driver (aka probmon.sys) [https://antonioparata.blogspot.com/2024/02/exploiting-vulnerable-minifilter-driver.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b9e36ec0-fabf-5571-a2f8-f6977827bb46", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824661Z", "creation_date": "2026-03-23T11:45:30.824664Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824672Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fb1db36d8465baecf79e37e992f7552749503b942c76c4138cb39e0f86e5fbff", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b9e740d1-0681-5f4e-b576-0a6297a7ebdc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.815993Z", "creation_date": "2026-03-23T11:45:30.815995Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816001Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "270547552060c6f4f5b2ebd57a636d5e71d5f8a9d4305c2b0fe5db0aa2f389cc", "comment": "Vulnerable Kernel Driver (aka ecsiodriverx64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b9e85c60-cf67-5de8-89a7-08b835fc6a12", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477849Z", "creation_date": "2026-03-23T11:45:30.477853Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477862Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ad5418a4b5edf1c963da343b1bdba14fac9e8ee49489b2f35136c4aebc9540b8", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "b9f10145-f570-5291-9210-5774fc338d5e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828962Z", "creation_date": "2026-03-23T11:45:31.828965Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828973Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "11cc3b62ab1db95187a0d65c321b6514f53757b50a46be0a0d9dc13d98d58d01", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ba068929-f5c9-5951-965d-e0b1586784d4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809263Z", "creation_date": "2026-03-23T11:45:31.809266Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809275Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "534915d8e06cf020f0bfa567c425fa206a3d0c175d10a6f039e4da2eb37740cc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ba0d2233-4af7-5069-a3e0-9a0874a50878", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821393Z", "creation_date": "2026-03-23T11:45:31.821395Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821401Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aa755a932255ccdc3e40f3d9db14c8c53dd15ec43f678e88262a3a6d29be0865", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ba118ba8-3db7-5b85-8788-97e7291f64fc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818941Z", "creation_date": "2026-03-23T11:45:30.818943Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818955Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c3577eeb107de6a0cdf6ac3ee75339f09fd0eb00b4d368bf841b6126af7629a1", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ba1da611-e3fa-5321-9875-b634c4b8c736", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826747Z", "creation_date": "2026-03-23T11:45:31.826749Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826755Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b306a86b99f6e6273e920e5ee29a0f1eb2aa54074af3369b0c3fef86452694a5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ba21f595-85d5-55fc-9a21-abf3b7c737e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822945Z", "creation_date": "2026-03-23T11:45:31.822956Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822964Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5a6f2532148a28855b741f3246162f58b940c8b4c3f7a218abcd029c624595e5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ba28b337-ca8f-5d88-84d4-b24409b7e2e4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818381Z", "creation_date": "2026-03-23T11:45:31.818384Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818392Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b1a3223f2a0e5468ee5ea9250747abb91ad144e529d12298ed406498e2b6949", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ba28b817-6ea9-511a-a026-114097d1c7ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475314Z", "creation_date": "2026-03-23T11:45:31.475318Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475328Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7eb0e8be6426ef7337546df5dac9ec682ac3ecfe75739a777fe79a677d935783", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ba4950e5-1616-5b71-befb-9b57f8e647b3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607311Z", "creation_date": "2026-03-23T11:45:29.607313Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607318Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a10b4ed33a13c08804da8b46fd1b7bd653a6f2bb65668e82086de1940c5bb5d1", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ba4f15ac-920c-524e-b30d-4de6ff7c57ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982289Z", "creation_date": "2026-03-23T11:45:29.982291Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982297Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7cc9ba2df7b9ea6bb17ee342898edd7f54703b93b6ded6a819e83a7ee9f938b4", "comment": "Vulnerable Kernel Driver (aka SSPORT.sys) [https://www.loldrivers.io/drivers/c854b612-0b9f-4fc3-a7b8-a93bed7a291e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ba510417-661d-50bf-827d-c10ffa880ee2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821503Z", "creation_date": "2026-03-23T11:45:31.821505Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821511Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "83b05582efd8cc9bc6ecf5d93e4f86ea8c3e6aeca5bd1d77baa2954924493cb0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ba5795e9-dddf-5fe9-bcab-66536ffb8f15", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474062Z", "creation_date": "2026-03-23T11:45:30.474065Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474074Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dadbd564c4fec1cb6a3e2be92031f22b1ddd19796d5d9639bffb927599c69a8d", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ba5caa18-d697-58fe-807a-38def385a2e7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985814Z", "creation_date": "2026-03-23T11:45:29.985816Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985821Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a", "comment": "Malicious Kernel Driver (aka NQrmq.sys) [https://www.virustotal.com/gui/file/ad938d15ecfd70083c474e1642a88b078c3cea02cdbddf66d4fb1c01b9b29d9a] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ba5ee5c0-6a3f-55cb-81ce-3728252362d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614718Z", "creation_date": "2026-03-23T11:45:29.614720Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614726Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9529efb1837b1005e5e8f477773752078e0a46500c748bc30c9b5084d04082e6", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ba5f1ea8-cd37-5d52-9788-48abb875c686", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148660Z", "creation_date": "2026-03-23T11:45:31.148661Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148667Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "356851d609ce4becafec5ea6fd7548d25d6cc9e711d03d2d6a6513a30480a0ee", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ba6007ff-6a13-5571-b09a-d572966b0cc3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483891Z", "creation_date": "2026-03-23T11:45:31.483895Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483903Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3e9f19cb357291cc073b6396ec5cea5093daa2d47332b44fed69d9b904c21dc5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ba734b3c-b826-5902-abc9-344346ee150a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.478125Z", "creation_date": "2026-03-23T11:45:31.478129Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.478155Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b6cc38c48e21cbb8320efaa3720e61521c35f9b1e2d6e28c081f1a9eff4bff3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ba80a52f-815a-5fb3-8806-3467e244e7d8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470371Z", "creation_date": "2026-03-23T11:45:30.470375Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470383Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6c9f431814cd58365468ac63ba8b6693c3dd2a2b3ef37b23e5d80d75083b784d", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ba82a4e1-36f8-5911-b96a-7c6eda84401d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821429Z", "creation_date": "2026-03-23T11:45:31.821431Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821437Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8542409e3eed1df27f43d714d6b6851bb56627d089c173e331c81527f0c2de0b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ba86d04e-c59c-5e3f-a520-e85ac1cfa5bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614921Z", "creation_date": "2026-03-23T11:45:29.614923Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614928Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d0bd1ae72aeb5f3eabf1531a635f990e5eaae7fdd560342f915f723766c80889", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ba8962cc-67c0-55c6-8471-db6ff24ea846", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820581Z", "creation_date": "2026-03-23T11:45:30.820583Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820589Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8d3347c93dff62eecdde22ccc6ba3ce8c0446874738488527ea76d0645341409", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "baa2ad79-d2d2-5410-b99e-3bed74860950", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474321Z", "creation_date": "2026-03-23T11:45:31.474325Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474334Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eb84b21bf29dd29ba121b45653c998984a3c39a8c9cfda04932aeb6d91cd77d7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "babeea83-195d-53a5-8939-98c1a7b677b4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478635Z", "creation_date": "2026-03-23T11:45:30.478639Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478648Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd628061d6e53f3f0b44f409ad914b3494c5d7b5ff6ff0e8fc3161aacec93e96", "comment": "Vulnerable Kernel Driver (aka Tmel.sys) [https://www.loldrivers.io/drivers/1aeb1205-8b02-42b6-a563-b953ea337c19/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bac5b704-595a-5d81-a6c2-cf10fb1e9d68", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494619Z", "creation_date": "2026-03-23T11:45:31.494621Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494627Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "04a3a31b33be0f29a9b291591db1a53dc8cbcd1a272c999f161f332acf93c7d6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bacd9290-5194-519b-8f8f-8975173b14d3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473203Z", "creation_date": "2026-03-23T11:45:31.473208Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473218Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "25cd2b80f1440852e73b38aaefa23257d8f806eb7b1449d81cb6443e9b8fe39b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bad12054-2ab6-5c92-883c-d95f57c33db0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457216Z", "creation_date": "2026-03-23T11:45:30.457219Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457229Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "afc1873543735d6299543d91d7c09ee1fa1588ff9f131ba4aedcd32b984c8ec1", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "badcf67a-2949-590f-8a34-cf6e75d3409a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492390Z", "creation_date": "2026-03-23T11:45:31.492392Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492398Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "213ab0806c1ba92b72d59fdd90f9bb3bfe55611ac92d35ffbab172e5b1421dde", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bae1dfb8-a483-56fa-97f3-e4b784dac231", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976500Z", "creation_date": "2026-03-23T11:45:29.976502Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976507Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9c31a9fbf833b732b5f3f06c31e200994a65ce187260e66eff62278660dba4ef", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bae3819f-dfd8-58c7-8bdb-5a0de63b03f7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454793Z", "creation_date": "2026-03-23T11:45:30.454796Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454805Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f7d72d22cd4ad3e44fd617bdb4c90b9a884f4eb045688c0e3fb64dd33e033eaa", "comment": "Vulnerable Kernel Driver (aka mhyprotrpg.Sys) [https://www.loldrivers.io/drivers/ebdde780-e142-44e7-a998-504c516f4695/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bae7bc1a-588b-537c-91b7-2abf3965733e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477260Z", "creation_date": "2026-03-23T11:45:30.477263Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477272Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1228d0b6b4f907384346f64e918cc28021fe1cd7d4e39687bca34a708998261a", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "baea4a00-cf18-502b-bfac-52951b683e81", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984424Z", "creation_date": "2026-03-23T11:45:29.984426Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984431Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d5cc046c2ae9ba6fe54def699f1c4fa92d3226304321bbf45cc33883ce131138", "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "baf0918f-bea7-5fbf-9977-5e13671583b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612915Z", "creation_date": "2026-03-23T11:45:29.612917Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612922Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0483b32f9544e9c3cc3f206e7bc983ea83f5a9ca44864f2af9b8fc10ff45949f", "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb01abf2-b845-5e38-9a8b-29b3b3fb87a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459104Z", "creation_date": "2026-03-23T11:45:30.459107Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459114Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "65a3e69854c729659281d2c5f8a4c8274ad3606befdcd9e1b79d3262f260bfa1", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb01e362-6e05-5e46-aa7f-ead50304ebf3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975360Z", "creation_date": "2026-03-23T11:45:29.975362Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975368Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "001cd8b2ce1932d1a8c32bc2d643ee4fa6f67626d1b6895beea916285450566c", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb0cbf95-c47e-5840-bfba-a5747914b40b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822078Z", "creation_date": "2026-03-23T11:45:31.822082Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822090Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "74020c03e63a367cf16e08644a2f7427704312c219c3d7b8f84c549059bfddb0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb13ceb8-daed-5eb1-9fdb-217983682499", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480674Z", "creation_date": "2026-03-23T11:45:30.480677Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480686Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fc23abdcf93928e1db8401a7ff53c86c85230a8637c4168f7434208f9e8b5ded", "comment": "Vulnerable Kernel Driver (aka PDFWKRNL.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb13d187-132c-5349-b65d-717b4c7828e3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159517Z", "creation_date": "2026-03-23T11:45:31.159519Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159525Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8e3627239b09b34f1fc404f536b1599e3d27eecdac4c14129f7babeea25214ea", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb1e75f5-b6fb-57a0-b769-4ed7be50140d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984711Z", "creation_date": "2026-03-23T11:45:29.984713Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984719Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "025e7be9fcefd6a83f4471bba0c11f1c11bd5047047d26626da24ee9a419cdc4", "comment": "Dangerous Physmem Kernel Driver (aka asmmap.Sys) [https://www.loldrivers.io/drivers/d0048840-970f-4ad5-9a07-1d39469d721f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb262c08-cfb5-561e-82ef-98ecb723d25f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969751Z", "creation_date": "2026-03-23T11:45:29.969753Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969758Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "29a560a11292c4224a401392e091a8f08230fdfea35521035e2bfda0b3d1f952", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb26968d-afdf-5fc3-997c-c7e49f5817d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825504Z", "creation_date": "2026-03-23T11:45:30.825506Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825511Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "157f9f36041dbc09548cd87687995d9e8b9b30a80fc7e9bad6d8cfa943489d3a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb2e5d51-f2ef-503a-8c98-1cdd3094481d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621106Z", "creation_date": "2026-03-23T11:45:29.621108Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621114Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "119c48b79735fda0ecd973d77d9bdc6b329960caed09b38ab454236ca039d280", "comment": "CoreTemp Physmem dangerous drivers (aka ALSYSIO64.sys) [https://www.loldrivers.io/drivers/4d365dd0-34c3-492e-a2bd-c16266796ae5/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb381b37-eb0f-56f0-8ab0-f3ff9a1fa717", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835628Z", "creation_date": "2026-03-23T11:45:30.835630Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835636Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fcf3456fa90bdac43a1f4c63fcfd9a8ad3b3a404a8c0f6a1a399a671d4a52ae5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb3c0b66-a239-59dd-8613-d33b8ec70ebf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826336Z", "creation_date": "2026-03-23T11:45:30.826338Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826343Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b6ac5a594db3b536fe6b74f54a09055428fcefc2e9cf19124a910fc0e322ee0a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb4fbb14-b40a-514e-84ba-c314b653152e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969541Z", "creation_date": "2026-03-23T11:45:29.969543Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969548Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2bfad74a63ad223656a3b27fb3edc92bbef7dce431ccdb835d3cbae6a08a08f5", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb53ed46-1d61-5c0c-b0e3-e29d7a0db0ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488969Z", "creation_date": "2026-03-23T11:45:31.488971Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488976Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7e987f8edeb917dbc06d1756d09ea983697e7062dfe33f34cae2183c22fae5bb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb59b217-adf2-575f-9b86-9f84430f0332", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498091Z", "creation_date": "2026-03-23T11:45:31.498095Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498103Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ca08a2401b1ddb538b7883cee05360ecac816b0dc17a822fc23d6d05d6c1a0a2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb5f708c-83df-5e62-ba3f-ab4a718570b9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146378Z", "creation_date": "2026-03-23T11:45:32.146380Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146385Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a3b12d9f35f9acd46d7e21627ad3e29149d203e211d665a3e03103f9cb7e4b86", "comment": "Vulnerable Kernel Driver (aka wsftprm.sys) [https://www.loldrivers.io/drivers/30e8d598-2c60-49e4-953b-a6f620da1371/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb5ff984-80b7-5b80-b6ae-0c3f11051500", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807254Z", "creation_date": "2026-03-23T11:45:31.807270Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807283Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e1264becef907f7f33e8ba9106375e7c902b8835e58b10f9b54a54c2de7db2e8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb777081-0212-53e9-a817-97a8f87223da", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822709Z", "creation_date": "2026-03-23T11:45:31.822712Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822721Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0a04658d24014cde98165b44854d4d64b0fc908bc20d6ab3c8d89fef31b48661", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb77fda6-5e02-5a98-82b5-b47380399b4e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469162Z", "creation_date": "2026-03-23T11:45:30.469165Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469174Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2dd2620e1c844738429ba31e2545a8b2de1387117e4f24d6fe7fd4246b09ac39", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb823228-c5ff-5ed2-ac22-b3d76613c9df", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830052Z", "creation_date": "2026-03-23T11:45:31.830054Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830059Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "edacedc3c79728d1958506890c461ff0cd15735309a26cbe4308befbf527c23d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb83c7c0-829e-5cd5-aa39-08fd9a7c785d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464034Z", "creation_date": "2026-03-23T11:45:30.464037Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464046Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d37996abc8efb29f1ccbb4335ce9ba9158bec86cc4775f0177112e87e4e3be5c", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb845f78-6d05-5590-9971-bad3cdbd7a3b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141733Z", "creation_date": "2026-03-23T11:45:31.141735Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141740Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "702fcd3be8e060e1aa22b9854e14bcf312425c388c2ce9185cd082430c555e9b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bb999384-d931-596b-b79a-1b771f337164", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830473Z", "creation_date": "2026-03-23T11:45:30.830475Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830481Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47dd83a8770fc755c1cc0440ef1baa1e262b03a774f200276b1b82ae5b7ed4f7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bbb09f38-bb2a-5a74-b1ad-be76aa2c6f93", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815309Z", "creation_date": "2026-03-23T11:45:31.815310Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815316Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cdfa1c5aade70879639bcfd4f08ab909d0e7479e74817f42a4af2d49d80b5f85", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bbb88b8c-e5fe-5482-ba8f-01073e71b7a5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833643Z", "creation_date": "2026-03-23T11:45:30.833647Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833656Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "28124094439a1fb9a8988bcfb37bd02f21988c4a74ecd8f869466102cc3d2bf5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bbb8fde8-3eb9-588a-b63d-b434b6101cfa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608777Z", "creation_date": "2026-03-23T11:45:29.608779Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608784Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a5a2fe8ab935cf47f21e0c5e0de11a98271054109827dc930293b947d3b05079", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bbdabf3e-4a4d-574c-811b-af696ffa7630", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621193Z", "creation_date": "2026-03-23T11:45:29.621195Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621202Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d3966edd6b2291aad8ce21f35f85ea18a60e5c382891809bf4d4e07d0b0c61a8", "comment": "CoreTemp Physmem dangerous drivers (aka ALSYSIO64.sys) [https://www.loldrivers.io/drivers/4d365dd0-34c3-492e-a2bd-c16266796ae5/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bbde88ba-f337-5cd1-b29d-272203753854", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980098Z", "creation_date": "2026-03-23T11:45:29.980100Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980105Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "93d873cdf23d5edc622b74f9544cac7fe247d7a68e1e2a7bf2879fad97a3ae63", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bbe92855-d0b8-598c-aec6-5c24529e370c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475697Z", "creation_date": "2026-03-23T11:45:31.475701Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475711Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ce90d578ca16d80e853080a5bc7daf91130b02ec8a76c73f7d0b66c4a9600ba5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bbf85d81-be35-58e9-ae72-96781c300730", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457803Z", "creation_date": "2026-03-23T11:45:30.457806Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457815Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e7b79fe1377b3da749590c080d4d96e59e622b1013b2183b98c81baa8bf2fffe", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bc23c5ab-062c-5d98-85cf-920cb46b7a47", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612146Z", "creation_date": "2026-03-23T11:45:29.612148Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612154Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "df3fd9fa267e12d7c6b65028373e21978041f0c94375b5c7316498fbad6f4ae0", "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bc338102-66c0-5989-9b17-42f74e11fded", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613495Z", "creation_date": "2026-03-23T11:45:29.613497Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613502Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "904d8d0db7b3ed747ecfbb04386dfbe23b71ffd054f32ab17f65bc17d500f730", "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bc3c1461-a090-5a30-846f-a9eab6d90afe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971309Z", "creation_date": "2026-03-23T11:45:29.971312Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971320Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab2632a4d93a7f3b7598c06a9fdc773a1b1b69a7dd926bdb7cf578992628e9dd", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bc3e60c7-e00e-5a31-9130-700992144386", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973940Z", "creation_date": "2026-03-23T11:45:29.973949Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973954Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bcfc2c9883e6c1b8429be44cc4db988a9eecb544988fbd756d18cfca6201876f", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bc3ee6f9-b4aa-5aa1-bc29-cc880402c9d2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982218Z", "creation_date": "2026-03-23T11:45:29.982220Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982225Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d475c4fe917020d420b5d0cf1f074b1427f49bd1f4414873501be51700f8832d", "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/b03798af-d25a-400b-9236-4643a802846f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bc53a9ef-7ecd-582e-b27d-29cda1eff782", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835993Z", "creation_date": "2026-03-23T11:45:30.835995Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836000Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a2a952ae1cb72f017e48e6d382d20765883b3ce2bc5ca15c4da0d07773551aa3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bc56ebfa-7aac-52a9-b34a-524e630fcbfb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461469Z", "creation_date": "2026-03-23T11:45:30.461472Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461481Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "70b63dfc3ed2b89a4eb8a0aa6c26885f460e5686d21c9d32413df0cdc5f962c7", "comment": "Vulnerable Kernel Driver (aka netfilterdrv.sys) [https://www.loldrivers.io/drivers/f1dcb0e4-aa53-4e62-ab09-fb7b4a356916/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bc57c00c-40f2-5f3f-b847-711d7f149cdc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976371Z", "creation_date": "2026-03-23T11:45:29.976373Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976378Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7f4555a940ce1156c9bcea9a2a0b801f9a5e44ec9400b61b14a7b1a6404ffdf6", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bc788772-cb85-5ca2-bc40-4bd00edceec5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821978Z", "creation_date": "2026-03-23T11:45:31.821982Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821991Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "214b840974ebc8cd5a2ba581ee1a903712b8c6db0fcc6f5a998cb732c9184b97", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bc8185cd-125d-59f3-8e9e-9a36cbc3dd46", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153542Z", "creation_date": "2026-03-23T11:45:31.153544Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153550Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "56ebc84e95e54a28d8bb557ebdbdc89a4e7b9205c653298a0bcc3a0159269a1b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bc81b4c2-3d5c-5ace-8017-52ed6980f453", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830615Z", "creation_date": "2026-03-23T11:45:30.830617Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830623Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b8d8cf37f98bb285db5b6abcfe1b25fb0c2b43dc2146dc1714af88fd6ae9cab7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bc89e5a8-6cc1-5ab7-bca9-03d3917f1a27", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617219Z", "creation_date": "2026-03-23T11:45:29.617221Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617227Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a7b000abbcc344444a9b00cfade7aa22ab92ce0cadec196c30eb1851ae4fa062", "comment": "Noriyuki MIYAZAKI's WinRing0 dangerous driver (aka WinRing0x64.sys) [CVE-2020-14979] [https://www.loldrivers.io/drivers/f0fd5bc6-9ebd-4eb0-93ce-9256a5b9abf9/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bc8acceb-e8e2-54f1-8063-00f933dbeaa2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969647Z", "creation_date": "2026-03-23T11:45:29.969649Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969654Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e76d989489c80b5e57b12b0dbfe04063701cb0e1239a9dbe50498978dd5a71ba", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bc928b78-a713-5f4d-a57f-c8b22af44afd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484359Z", "creation_date": "2026-03-23T11:45:31.484362Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484372Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c36b249512c286e8c26149c44ee703da62698a754413b0cc5a55d42e06b3509f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bc9367bd-aeed-5e97-9bfb-98309337a8b4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499459Z", "creation_date": "2026-03-23T11:45:31.499462Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499470Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1d47053aa2533e477f86a6848b1ca9b895cf4b3bfb2870d9481be4321b7defbf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bc9d50be-07f3-598a-ab27-9e73c429f93c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467442Z", "creation_date": "2026-03-23T11:45:30.467445Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467454Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ac415873e0a8638f5154ac4c1713b6f0527119b59706df65a5b3ed73ece02a6", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bca5722f-c83d-5260-bdc0-cd6044901b41", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972681Z", "creation_date": "2026-03-23T11:45:29.972683Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972689Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5f353fc46843155b6b63e75994f5328b9d4344654d5759a5145cd6e64babe3de", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bca66824-c9b5-5edd-80b6-52903e933a6a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615606Z", "creation_date": "2026-03-23T11:45:29.615608Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615614Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "48ac8ae911c490e1b7f7813c0f345677e110ffaa9ef385b86ca25e5519e2c0de", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bcb3b05b-8299-5fa4-8f9b-bc5e9f4a1e24", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148131Z", "creation_date": "2026-03-23T11:45:31.148133Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148139Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eafe1af8bd0bf72746a7dac888fab44660b7874e7dc873f3b841534bd4a288b9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bcc3d352-47de-5596-8828-c622a24bc267", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470640Z", "creation_date": "2026-03-23T11:45:30.470643Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470652Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dca34739f3935caed2af248206452e7ba1fdf394c901e74729b5a96884dc6228", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bcc709ac-d8fd-57b9-8ba0-995016e9cb19", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453912Z", "creation_date": "2026-03-23T11:45:30.453916Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453925Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0181d60506b1f3609217487c2c737621d637e1232f243f68c662d045f44d4873", "comment": "Malicious Kernel Driver (aka 4118b86e490aed091b1a219dba45f332.sys) [https://www.loldrivers.io/drivers/b32d8d7d-0dc2-4d09-a306-8efc4caf1839/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bcc7712a-d3e5-5bb1-941c-d2f950191884", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462398Z", "creation_date": "2026-03-23T11:45:30.462402Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462411Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bd9386206a5dfdf63bf642e2917fae6d5e8a1e52874cb2cfbabf79e47b9fed74", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bccb1037-c236-5ce3-b136-645abad8f0fe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479699Z", "creation_date": "2026-03-23T11:45:31.479704Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479713Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1799e5e5eb44ccfc05a608a774123de9904eb0a7ef66b5bc700bbe6cc2c8050b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bccb6707-2470-56d6-be44-f176b497bb65", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827551Z", "creation_date": "2026-03-23T11:45:31.827553Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827558Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ac886acabff4efcbb5bf8c3646ffc3d69b430071c930f75901cc28fca58b0426", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bcda955c-3634-58d4-92e9-361191d9d609", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978994Z", "creation_date": "2026-03-23T11:45:29.978996Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979002Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7e0124fcc7c95fdc34408cf154cb41e654dade8b898c71ad587b2090b1da30d7", "comment": "Vulnerable Kernel Driver (aka PanMonFlt.sys) [https://www.loldrivers.io/drivers/cfdc5cb4-be5c-4dcc-a883-825fa72115b4/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bce01599-c641-5086-a0b7-3fb2ffe52c23", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828530Z", "creation_date": "2026-03-23T11:45:31.828532Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828537Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0b68e91f11b63ed6b2caa8b8c03bcc5b28210fdf36fab9ce1d9706fb8e9e5285", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bce30193-0a7c-5256-8365-382d9c2b9fe5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494600Z", "creation_date": "2026-03-23T11:45:31.494602Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494608Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bce14e5016db8663b596dadca0e015ff9a067b79f160ef7bbab9b3db0035bfd5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bce7a2ff-307a-5412-a8e6-8f6f79c2d373", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494674Z", "creation_date": "2026-03-23T11:45:31.494675Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494681Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e25cdb818e9d00ec76d9d9629c9e25878a7b24391f3bd74d848ae369aea7e381", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bced4887-af6e-5e73-904c-d6248d1f8623", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465340Z", "creation_date": "2026-03-23T11:45:30.465343Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465351Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d032001eab6cad4fbef19aab418650ded00152143bd14507e17d62748297c23f", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bcf3791a-24c1-5d9f-a703-540502e0d76d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813272Z", "creation_date": "2026-03-23T11:45:31.813274Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813282Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e655b8c85566dc7158cb381a0c045fe5e37614a3e6a6bd856884583a05217d1a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bcf68611-1727-5f3e-beb2-0284c7e762e7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827508Z", "creation_date": "2026-03-23T11:45:30.827510Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827515Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "69ae4f18c56e45904550ed993c4b177bf2ade201b94e6a3307dbfae8a5747cc4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bcfda42b-da19-5e1c-94c7-cdf817174cd8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156620Z", "creation_date": "2026-03-23T11:45:31.156622Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156628Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f3cfa1b06a0aa138c7c65e8c9a796592e04bd6ec2ed245fd27f512df0996ef25", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bd059a01-bd8f-5f9a-b2ec-2193df342840", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606687Z", "creation_date": "2026-03-23T11:45:29.606689Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606695Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "28f82b626697dcdccdcc1dee693e9f5c0e605f794f93bb04a3bb80cf0e9f0601", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bd07fe6f-3d62-5a5e-9cb3-09bf20ffec0d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822600Z", "creation_date": "2026-03-23T11:45:30.822602Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822607Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "df1fa63048807a9372a9b29baa712ef3c448ae28fc2c7da559714e40b1321a4d", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bd149903-88ca-5cc4-a923-d8de6639499d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609058Z", "creation_date": "2026-03-23T11:45:29.609060Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609066Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6f1fc8287dd8d724972d7a165683f2b2ad6837e16f09fe292714e8e38ecd1e38", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bd1c7056-6de1-5e1a-9e52-5e729d415158", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145325Z", "creation_date": "2026-03-23T11:45:31.145327Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145332Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4133b502bddff463b1f8555bb3e67c607a13a2920e8d80e5d42616a212035fa4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bd28842c-cc9a-5f1c-bf04-17e77c85d351", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475188Z", "creation_date": "2026-03-23T11:45:30.475192Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475200Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0381632cd236cd94fa9e64ccc958516ac50f9437f99092e231a607b1e6be6cf8", "comment": "Vulnerable Kernel Driver (aka bs_rcio64.sys) [https://www.loldrivers.io/drivers/cacf18a5-6d7d-4a63-92d4-bda386a3da18/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bd2a54c9-39a4-5d07-81a5-7354b00b57a7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836523Z", "creation_date": "2026-03-23T11:45:30.836525Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836531Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "45962808c890a618c9552c9412e249e8f477cc4d426ba4037bd828f7ee603569", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bd33f6f1-622c-5313-8993-e662fa2fc3a5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819295Z", "creation_date": "2026-03-23T11:45:30.819297Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819303Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "43136de6b77ef85bc661d401723f38624e93c4408d758bc9f27987f2b4511fee", "comment": "Vulnerable Kernel Driver (aka hwdetectng.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bd3ec56f-017e-5d28-ba5f-a2e6ac69bee5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457718Z", "creation_date": "2026-03-23T11:45:30.457721Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457731Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c6389dca278be297b95846badc2b6859b488f123dbdc5d7bfc6f4393eeb7e678", "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bd41f12c-3491-5d38-887d-3dce22660146", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464090Z", "creation_date": "2026-03-23T11:45:30.464093Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464102Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c4f041de66ec8cc5ab4a03bbc46f99e073157a4e915a9ab4069162de834ffc5c", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bd43a33c-8907-50be-9143-ff3fd494b642", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152750Z", "creation_date": "2026-03-23T11:45:31.152753Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152761Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bedf7bf28b9f330e16311668e2adda26e62008113a74db2880691f38e62fbf02", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bd562f90-c592-56d5-8e9d-d6778bb32445", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619126Z", "creation_date": "2026-03-23T11:45:29.619128Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619133Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a37371c4e62f106e7da03fd5bdd6f12ecdf7fcaf1195dbf9fb7ef6eb456a7506", "comment": "Vulnerable Kernel Driver (aka amp.sys) [https://www.loldrivers.io/drivers/ca768fc5-9b5c-4ced-90ab-fd6be9a70199/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bd596d3a-fc5f-511e-915c-44c13a83667a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827751Z", "creation_date": "2026-03-23T11:45:30.827753Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827759Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "40f6650ac8f07f2c1a76376940743c46d7a81364d4dd04c625691f3752aec4ef", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bd5de4cb-9a5b-5857-b284-c9b7f84851ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.986083Z", "creation_date": "2026-03-23T11:45:29.986085Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.986091Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "81f4258c5aee1bfe424880fbc61a1928a816014c502f010be03becbb42e648fb", "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bd638b77-aa52-58dd-9059-c1d7450be29a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.815840Z", "creation_date": "2026-03-23T11:45:30.815842Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.815848Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ebf0e56a1941e3a6583aab4a735f1b04d4750228c18666925945ed9d7c9007e1", "comment": "Vulnerable Kernel Driver (aka FPCIE2COM.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bd7635fa-20ae-51ce-8e45-f3ebc2196b1e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619733Z", "creation_date": "2026-03-23T11:45:29.619735Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619740Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c9c60f560440ff16ad3c767ff5b7658d5bda61ea1166efe9b7f450447557136e", "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bd78fe86-180b-54d3-b29d-86852105f255", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152468Z", "creation_date": "2026-03-23T11:45:31.152471Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152479Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fa8ef041d0fb7efdd210f1dc6da700c60d50b409e35487d7eb424ce333eb9eb4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bd9ab9b7-498b-5ced-b001-98f3704ae3bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605322Z", "creation_date": "2026-03-23T11:45:29.605324Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605330Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7c52fdfb39d93de37a489e8899d01ef665d350d59c8b444eb88a9258bca7ec18", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bd9e6959-642d-5ef9-87d2-a210100da481", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472467Z", "creation_date": "2026-03-23T11:45:31.472471Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472479Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d40656cff5214074ff468ec3b57c6f25dcf90d39cdf242349dddd76cb27de1ae", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bda89e75-e6fb-5adf-920a-1352f52c4fed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.815974Z", "creation_date": "2026-03-23T11:45:30.815976Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.815982Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "52478f3ddd3d0b9eb098e66049d132cc5c7e05720bfc78b6550ce5a40306d993", "comment": "Vulnerable Kernel Driver (aka FPCIE2COM.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bda8cb6a-1d3b-50d6-8417-f6b3b90cd8b0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976964Z", "creation_date": "2026-03-23T11:45:29.976966Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976972Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2107b1c150e9c60630d4306fdcd8d47dd8918e912210066ef5fa551b30a6eb1c", "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bdacc102-ebf3-5b24-9bf8-49c1ce8dd07b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621016Z", "creation_date": "2026-03-23T11:45:29.621018Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621024Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3bc0cec99dce687304dad8f7a6daf772e695cbd0169d346d03ae12500361a1e8", "comment": "Phoenix Technologies Vulnerable Physmem drivers (aka Agent64.sys) [https://www.loldrivers.io/drivers/5943b267-64f3-40d4-8669-354f23dec122/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bdc44806-78c8-58a1-817e-e82e03a57593", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480117Z", "creation_date": "2026-03-23T11:45:30.480119Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480124Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b78eb7f12ba718183313cf336655996756411b7dcc8648157aaa4c891ca9dbee", "comment": "Vulnerable Kernel Driver (aka IoAccesssys.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bdc77bc7-804d-5546-9ada-4968629588e5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151143Z", "creation_date": "2026-03-23T11:45:31.151145Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151150Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1a0c8585a071d0a69c1db2c3817a7ebed2b3172620927673d43f4de5ae7fee1b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bdcc8ce2-a136-59fb-babd-ae32ca35154d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985045Z", "creation_date": "2026-03-23T11:45:29.985047Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985053Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c786f3ca229da18b2806af4d57ecad603859ee548549b19f71a623f477fc740e", "comment": "Dangerous Physmem Kernel Driver (aka Dh_Kernel.Sys) [https://www.loldrivers.io/drivers/dfce8b0f-d857-4808-80ef-61273c7a4183/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bdd2dd2a-b577-532c-9470-3c79ec661c51", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815178Z", "creation_date": "2026-03-23T11:45:31.815180Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815186Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "86fca8a2417289f6e57e965b57c77afc25a2e0238f7b15fa6749e36ccc8333ed", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bde7dd90-5d3b-5561-b0ac-8a365b8d330c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827769Z", "creation_date": "2026-03-23T11:45:30.827771Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827776Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "81f31698797fd3e2be5c0122331c42df3158f40dcbd9badf42078371deceab13", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bdf0da74-9213-5a2d-a5cf-3f5b77847594", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819516Z", "creation_date": "2026-03-23T11:45:31.819520Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819528Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9318ed6cf1c407c5766755322df3d11e268be558c1446c8b75d0e4da2ed05e08", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bdf23a90-d655-5493-ab5e-d083098e8b56", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825633Z", "creation_date": "2026-03-23T11:45:30.825635Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825641Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1293155f307ac61973d7f0d05e7e22df5ee14d23ca9b63556f836186be8145a6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bdf38bea-f5f7-5f5a-8ab5-d20864bcd9cd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617712Z", "creation_date": "2026-03-23T11:45:29.617714Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617719Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "626fae47811450d080d08c3d9fd890aa64bfecdc45eacd42a40850c1833c8763", "comment": "Cheat Engine dangerous driver (aka dbk64.sys) [https://www.loldrivers.io/drivers/1524a54d-520d-4fa4-a7d5-aaaa066fbfc4/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bdf42d1c-5ee2-529e-a411-0d07752d8d62", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819354Z", "creation_date": "2026-03-23T11:45:31.819356Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819361Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3cd55592a03556e29d89dbf5e3cc6db5e0aaab74ccba59cc467131843c01ea76", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "be330886-88d8-587d-a166-2fba15218648", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457929Z", "creation_date": "2026-03-23T11:45:30.457933Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457941Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "202d9703a5b8d06c5f92d2c5218a93431aa55af389007826a9bfaaf900812213", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "be3531ac-e090-5a60-9200-ee929127bb23", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975552Z", "creation_date": "2026-03-23T11:45:29.975554Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975559Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b50ffc60eaa4fb7429fdbb67c0aba0c7085f5129564d0a113fec231c5f8ff62e", "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "be62872f-9a8b-5c95-8aaf-6263eea69ab2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825441Z", "creation_date": "2026-03-23T11:45:31.825443Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825448Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b864ffab5fb7c53696543377bc03efc301c2ae33ff0314e2a2bf437f3c66faa6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "be66222a-d7ab-543b-9ae7-038aba3f66cd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967658Z", "creation_date": "2026-03-23T11:45:29.967660Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967665Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "34954e34f958648557a2cab18491f900183a1ef516949d681c20e11920a3117f", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "be788b55-4e26-5d69-9526-d5dd88b97f08", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474713Z", "creation_date": "2026-03-23T11:45:31.474718Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474728Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fdc8ffee7073f1bcc9ebf768897a57b74a27011be1112420e09a0841eeba9530", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "be7967db-75e9-57bb-aae7-a36f208017d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606540Z", "creation_date": "2026-03-23T11:45:29.606542Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606548Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c286dfac5ca413efeb1936e876688b6bd46d25dc64206f86efb4f52ad83d1889", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "be846ef1-c5a5-5306-bb6f-4755a93c3a65", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822727Z", "creation_date": "2026-03-23T11:45:30.822730Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822735Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b6d91487921478891e5570663f23a473b1b0490f8cf75bdeb7ab00111999fb9b", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "be8d3d00-f0ab-57b3-aa0b-4ba1c318f131", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813322Z", "creation_date": "2026-03-23T11:45:31.813325Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813333Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e6fdd4baacdf0ab03ed12749d84e32423ea25dadc0e1a8c7d79f44397bc09951", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "be966eb6-bec3-53c3-bb70-c88309e979e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604825Z", "creation_date": "2026-03-23T11:45:29.604827Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604832Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "078998502b2dd463b8acd5488ee18645c876bb50ebd87e1b0f9ff845a29a2098", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bea296e6-3bd8-5f55-9def-6620c0baf99e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611376Z", "creation_date": "2026-03-23T11:45:29.611378Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611383Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47c9323ae818bd2a3b55fc04abd984bd940cd4e27b6d4af311edcb66988ce941", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "beabe1d1-2fb2-5fab-bc50-ff1926806942", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979151Z", "creation_date": "2026-03-23T11:45:29.979153Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979158Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a", "comment": "Vulnerable Kernel Driver (aka elrawdsk.sys) [https://www.loldrivers.io/drivers/205721b7-b83b-414a-b4b5-8bacb4a37777/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "beb2b947-cb6c-5c16-bd9c-ef99ef6f1c56", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820720Z", "creation_date": "2026-03-23T11:45:30.820722Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820727Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d9a73df5ac5c68ef5b37a67e5e649332da0f649c3bb6828f70b65c0a2e7d3a23", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bec14d6b-515d-55ae-a358-dffb3e4754a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620710Z", "creation_date": "2026-03-23T11:45:29.620712Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620717Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8ef0ad86500094e8fa3d9e7d53163aa6feef67c09575c169873c494ed66f057f", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bec7c8fc-986e-5da0-8288-1fe4d0d1af2a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160118Z", "creation_date": "2026-03-23T11:45:31.160120Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160126Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd35afd8d1b89bf4c00b5e9131f1abc82dc0492ec466b2c4b6bc6a633355b38a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bedc08e1-9d55-53ec-96eb-f7c2ac10eab7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485006Z", "creation_date": "2026-03-23T11:45:31.485010Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485020Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "23b1fd33139874b173a22dfa0b9f240ce0c562e5e0da753986b934ed9a49e82d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bedf6623-4a2a-576e-a387-1ff4a0827455", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809758Z", "creation_date": "2026-03-23T11:45:31.809761Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809770Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "525e959c75100ce85a55dd0bc284f5ba49cee289f92c8d2c5184c31961bed7cc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "beeeec48-42d7-581a-a30a-c372a49a9c52", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814094Z", "creation_date": "2026-03-23T11:45:31.814098Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814107Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4afa14df5befa201438f898beaecd73750744a0dbdc065544c9b33edd5b79ded", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "befcfb04-7567-5250-809a-ec8a6ddba923", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824032Z", "creation_date": "2026-03-23T11:45:31.824035Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824043Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea577fad09163c9eb5dcfbfe629a06990453244e9c0abb582c223a6c2a1961ae", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bf08c60b-ae4d-574a-a101-317199e9ce0d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486322Z", "creation_date": "2026-03-23T11:45:31.486325Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486332Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2c3790006220e0e530320e78f0cad5127f3c90e02db53efd0ff07b5faa55fabd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bf1274ca-4790-5d42-931a-b220d17af2a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470400Z", "creation_date": "2026-03-23T11:45:30.470404Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470413Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1425075f7a3f009f703ca8d5bbbfe2cfbc1a7de7f5e17d50708ba99dc0f668ff", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bf17718e-d443-584b-9715-a4ec1b72d81d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143598Z", "creation_date": "2026-03-23T11:45:31.143600Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143605Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "60c2dd1c26116e207db74d90fb6952797dd8e1f3dc54a0a9a34241be556778ac", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bf362bdd-e443-50fb-947a-c39425923c58", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472920Z", "creation_date": "2026-03-23T11:45:31.472923Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472932Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ed00b27f65e9161f83cbed6ba033f4efb0af9160ea380b1a46c0421898089501", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bf3b495b-5e32-5e06-8eca-0ec57efa5602", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482794Z", "creation_date": "2026-03-23T11:45:31.482798Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482807Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e41cfb31e0fdd74f88c237d41672f8667af5179bde7cde0f32cb24101985de81", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bf4b144d-8d34-553e-b7e4-072372b5f86f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500522Z", "creation_date": "2026-03-23T11:45:31.500525Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500533Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f3504feac7e57bd16959ff16abb9afbd7c9f6ceefcc3da8d0ae978219cabcf71", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bf4d934d-6d28-5df4-86a1-d980771005ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495364Z", "creation_date": "2026-03-23T11:45:31.495367Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495375Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "10dd3a2c8745d92c95b8180775a87d7c17ddf6a88f14c59a41aa5fc78fdfe1a9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bf4edc0b-cf2e-5b3b-a825-54197d6976f1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816042Z", "creation_date": "2026-03-23T11:45:30.816044Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816050Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9452b5577681c74d568825c4e95c5c9a5e0f682782c8dd932a7d4d732e958802", "comment": "Vulnerable Kernel Driver (aka ecsiodriverx64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bf519582-f806-5ab3-b423-2e380ae63b48", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144192Z", "creation_date": "2026-03-23T11:45:32.144196Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144204Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "08c4b75a9b715647a60b946f3743c4e49a6f5c36c1bc889e741d658508dc50c0", "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bf556c4b-97d1-5f9b-a108-05e30c521d9c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145447Z", "creation_date": "2026-03-23T11:45:31.145449Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145455Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f4f2f346a3e8035163a4fea0a6c2df2cbe0ea19399b2269fa9d4eacfdd4083c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bf5e4f01-2fe8-595b-bf7d-cda3125f35eb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821690Z", "creation_date": "2026-03-23T11:45:31.821692Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821698Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3cc8bbb5efb676b0aa2aea74d585bf1f7e245f81cbba8c79600373bfa37f509e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bf652d58-5aa1-5652-b643-baf3f25f4735", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985593Z", "creation_date": "2026-03-23T11:45:29.985595Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985601Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea3c5569405ed02ec24298534a983bcb5de113c18bc3fd01a4dd0b5839cd17b9", "comment": "Vulnerable Kernel Driver (aka echo_driver.sys) [https://ioctl.fail/echo-ac-writeup/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bf75b9ea-20b8-5f8e-a57e-66f3d9ca38c1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143653Z", "creation_date": "2026-03-23T11:45:31.143657Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143674Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b1aa30ae6070876f539cb14013730d3d2d9ca3c805474d638d5b8c97bb101d44", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bfa30aac-8827-5dfe-a5c5-7dec3c184f50", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620278Z", "creation_date": "2026-03-23T11:45:29.620280Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620285Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "74a846c61adc53692d3040aff4c1916f32987ad72b07fe226e9e7dbeff1036c4", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bfad995b-2bca-5c3c-988b-f8d4b32dfa82", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815933Z", "creation_date": "2026-03-23T11:45:31.815935Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815941Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "24add6fcd09dda0b3ef57d8fa53d5d45b63aecd3e4b2d754259aa70a288e997f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bfbae45d-5a13-576a-a925-4b5eecdf87fb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617149Z", "creation_date": "2026-03-23T11:45:29.617151Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617156Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d7841ee6dac956cc0923368d6722063a19c9fa131e55c6f3b7484cce78d826f0", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bfc56eea-275a-59e9-8931-ed4badd8e632", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143853Z", "creation_date": "2026-03-23T11:45:32.143855Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143861Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f6a5ef968bd0e47e1ca9433f8e8d0b9bed0aa0a3baf982fdc27b1cc3b4b857b8", "comment": "Vulnerable Kernel Driver (aka wnbios.sys) [https://www.loldrivers.io/drivers/baa168cd-eba2-42e4-95e9-47cb4b2f9094/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bfce2f03-01d9-557c-80ee-bf0cce65bf79", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487891Z", "creation_date": "2026-03-23T11:45:31.487893Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487898Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7ce4ba2b520f8fc976a61f918d2f45affae7c9ea7cdaaeda17b820bdb2403a4f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bfd2c98b-f642-5ab4-b12a-59d6236a39f5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978301Z", "creation_date": "2026-03-23T11:45:29.978302Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978308Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fd33fb2735cc5ef466a54807d3436622407287e325276fcd3ed1290c98bd0533", "comment": "Vulnerable Kernel Driver (aka nt5.sys) [https://www.loldrivers.io/drivers/193df066-c27c-4343-a4eb-ad2ac417a4cc/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bfdc6746-3d3c-5cf3-9ca7-693ecf696f1c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813533Z", "creation_date": "2026-03-23T11:45:31.813536Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813545Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b3e6015aad30c38d738387901350ea9ac362c09fb6e95c5cf2121b071a03a3d0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bfde6dd4-0ebd-5112-8755-67dcf74f1eb4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141716Z", "creation_date": "2026-03-23T11:45:31.141718Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141723Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3f6274c200454803cc82c9d595750fd7a0ad7f10ded56c42b3e42011024fea87", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bfedc4ce-2464-5073-8e41-51b0167a1138", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155984Z", "creation_date": "2026-03-23T11:45:31.155986Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155992Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bf392302c14e22524c7fba846f62db690bbb0658a587d5025b7b9782e629a727", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bff29c72-5b94-58b4-9bf3-e4050d3d7f06", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980046Z", "creation_date": "2026-03-23T11:45:29.980049Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980054Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a47b9af109988e8e033886638edc84964968eecd0d24483eafaad6a6d68005ea", "comment": "Malicious Kernel Driver (aka wantd.sys) [https://www.loldrivers.io/drivers/892292f9-b87c-40a5-80e5-8c9b02914e8b/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "bfffad42-0996-5acf-b852-93d126b84b8c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826425Z", "creation_date": "2026-03-23T11:45:30.826427Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826433Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7716c3c62cf88db90fcd0b60854479a16dded16c91812544a77db3121f2eb8bd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c00856ea-bf67-511c-843d-4b76f615c7ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827218Z", "creation_date": "2026-03-23T11:45:30.827220Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827225Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dfd936baaeb51542d04609043ed166b6a2a4e826e5e0e506757e8960fa3b03de", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c009df39-95fb-5c7a-9556-8ed074067f80", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976853Z", "creation_date": "2026-03-23T11:45:29.976855Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976860Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6a149695e1eeef8c4728f091be7d64304d7e00c8a2f27adc7d96a111de15a79b", "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c00f329c-e5af-5a5a-81da-fc09c6df712b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827049Z", "creation_date": "2026-03-23T11:45:31.827051Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827057Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "17308b1c03775e40fc1b37d8414502c81624b4d52c04875e8de1a496eccb808d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c01739ab-02b7-5ec3-a457-442a4c6769b3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148677Z", "creation_date": "2026-03-23T11:45:31.148679Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148685Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "930e0cf02d9a9146b1dd20c76f66826b624ead0e06cfd846d72bd7db61b2a086", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c01a4dc9-1302-5a55-b7f9-435fa669fe99", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609076Z", "creation_date": "2026-03-23T11:45:29.609078Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609083Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "81aafae4c4158d0b9a6431aff0410745a0f6a43fb20a9ab316ffeb8c2e2ccac0", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c01a6684-9ee9-5967-8bad-a32d96b9074a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142611Z", "creation_date": "2026-03-23T11:45:31.142613Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142618Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d91d3ab359d4a166dac86de0ce5a1fbed39f4ca088e0b86f84c7c8939e6a7692", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c0232b97-f92b-5e42-a6b0-741e624acf8f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821413Z", "creation_date": "2026-03-23T11:45:30.821417Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821426Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d474ea066d416ded9ed8501c285ca6b1c26a1d1c813c8f6bd5523eeb66c5d01e", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c0279a45-b00d-5e31-9adc-0a565c41d537", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977532Z", "creation_date": "2026-03-23T11:45:29.977534Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977540Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a334bdf0c0ab07803380eb6ef83eefe7c147d6962595dd9c943a6a76f2200b0d", "comment": "Vulnerable Kernel Driver (aka CorsairLLAccess64.sys) [https://www.loldrivers.io/drivers/a9d9cbb7-b5f6-4e74-97a5-29993263280e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c02ae058-2788-5b39-93bb-7c9ab9faf70c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145677Z", "creation_date": "2026-03-23T11:45:31.145679Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145684Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9ace913c9b494fd607a1e60796ad768ea1b61ff134d1e58b96843ebdb43986a3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c0478a06-a376-5c77-bfa5-8ac95f61709a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145200Z", "creation_date": "2026-03-23T11:45:31.145202Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145208Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8b6e6cd2ae8ffbda7595f079535e30b68f5d0586d3cdf0f263eb5ef403ec592c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c05c8cac-7038-58de-84be-4d7787d7027b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826104Z", "creation_date": "2026-03-23T11:45:30.826107Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826116Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aa30e85ea2288f721cbd2bc158aa616d0aac2f5695597e61179972581484324e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c05f1553-a658-5062-a37a-1285888edd5c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974229Z", "creation_date": "2026-03-23T11:45:29.974231Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974237Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cf0855a8517be550b08a981bfacf90f245791cd70620868a241f1b1e2d8dfd89", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c05f71b9-73d9-5bc4-8e07-8b990c448a1f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481308Z", "creation_date": "2026-03-23T11:45:30.481310Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481316Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd57abaf2f20ea5b3f56db1193cb3772aa09bb2be3c4fa8001e7cf72ae1f078c", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c068b9b7-4ed1-5fb3-8ec2-abc81e31e000", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827647Z", "creation_date": "2026-03-23T11:45:30.827649Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827654Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "00e6fc33ba9861f673f857c74e65d65e90702013705e5170f4680565956c02ee", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c06cc91d-e589-5365-b939-a66a40f21754", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616550Z", "creation_date": "2026-03-23T11:45:29.616553Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616558Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ffc72f0bde21ba20aa97bee99d9e96870e5aa40cce9884e44c612757f939494f", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c0716296-abc4-555e-a39a-5ba2e48fecdc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462143Z", "creation_date": "2026-03-23T11:45:30.462146Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462155Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2c14bea0d85c9cad5c5f5c8d0e5442f6deb9e93fe3ad8ea5e8e147821c6f9304", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c077017e-28cb-5b91-9dab-85b0723adf9d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153175Z", "creation_date": "2026-03-23T11:45:31.153178Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153186Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "22d4ebe019788d7d9a7ab2e9e6ad1693dc0ebf8388666aba2de97dd59ee4bf02", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c07a1478-e1be-5749-b54d-0e4e936500af", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815598Z", "creation_date": "2026-03-23T11:45:31.815601Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815610Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9ae049742c126352ad859127676551110405bbcabec461d637d3998241017a0a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c07ac49f-338e-53bf-8fe7-9b3b031d3e26", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826920Z", "creation_date": "2026-03-23T11:45:30.826922Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826928Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bb6710e984a8ce820b30f58ddd46c775b2b6136edcde493591ac4f3e48a9bc06", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c0916b8a-50e2-50e9-bc14-3eb7359839ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145395Z", "creation_date": "2026-03-23T11:45:31.145397Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145402Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cb2597916344decf1afbdb771ab8d9ab3896be186f1fe20ef905273ed73e3629", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c09ea503-c0e2-521b-a260-cb89b4de2d21", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149371Z", "creation_date": "2026-03-23T11:45:31.149373Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149380Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0a16b0c655899e6bda9c8ece578726f638bbed70ae9a5a3140e1a5338c012607", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c0aad242-4b17-51b4-a2df-9d24c1ab726b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149981Z", "creation_date": "2026-03-23T11:45:31.149983Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149989Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a2cf29afe28aafd0e1ccbae0658cd58afb461355e625f0469585a2a6def12ae5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c0ac1726-04c6-5642-a4a3-85acd31ee339", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610776Z", "creation_date": "2026-03-23T11:45:29.610778Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610784Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c50f8ab8538c557963252b702c1bd3cee4604b5fc2497705d2a6a3fd87e3cc26", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c0ac5730-021b-5fae-9faa-937019673722", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473976Z", "creation_date": "2026-03-23T11:45:30.473979Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473988Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5380daf2497ed35fc6d8b2a2f343dcbb95bb7384eea73781126a641ba3391af8", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c0cc64d3-deff-5e43-a7bb-139aa90d9702", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606995Z", "creation_date": "2026-03-23T11:45:29.606997Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607002Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a4859c5456d03f799de89d2f8cbb36b4518259a6c7c0bc909b1fd16f48363d5a", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c0d04003-ef54-51cd-a08c-b1e2087513d7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475913Z", "creation_date": "2026-03-23T11:45:31.475917Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475927Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d233b5fb67cafe05c29c6d97646bd398b7eec950d1375ee898f2ad6dbacb11c3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c0d16b99-aff2-5688-a0f6-e0b3e6aa6fd6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819976Z", "creation_date": "2026-03-23T11:45:30.819978Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819984Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "283a2e3eb9bad973e2ec439208f1bfb5121f8d9c37019b8a699be212f05964eb", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c0d54b16-a6ef-5b19-adc6-79ae755d1515", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146510Z", "creation_date": "2026-03-23T11:45:31.146512Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146518Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3b250c6e21e8393c8f707fef88d4f0afc6ad24cef8590d3f6b269bc75fc4185b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c0d5bd27-7d43-551d-bd51-d19f9158fe72", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807483Z", "creation_date": "2026-03-23T11:45:31.807486Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807491Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0aa450b1279a90d388466fb7b00a1663bb72d2e70efa1082044e23b18a5c62ae", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c0db53d7-324e-59e9-ae5f-6aab7fea03a9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980289Z", "creation_date": "2026-03-23T11:45:29.980291Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980296Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c0e16a20-2f4b-5e41-9ae8-556b1f851306", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818794Z", "creation_date": "2026-03-23T11:45:31.818797Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818805Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7b1437d1b7ea3e5b9be6c669db906b70ef958c6e1df62592a2e3ee43b210a3e0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c0e9aa31-fe03-57d0-9b57-a9ca54d28c9f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149807Z", "creation_date": "2026-03-23T11:45:31.149810Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149815Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1614e43c7556bcf6867d7c528ea7f7dc70a2bd90ef17ea35e85af1663a8b62d9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c0ecc777-a616-59dd-a21d-6851e8f058ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472560Z", "creation_date": "2026-03-23T11:45:30.472563Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472572Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "368a9c2b6f12adbe2ba65181fb96f8b0d2241e4eae9f3ce3e20e50c3a3cc9aa1", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c0ff4a9c-a10c-59b8-b1e7-8a31631dec95", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827194Z", "creation_date": "2026-03-23T11:45:31.827196Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827201Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "266634c80d0a590988a6eaf326be0b04dfd346c56cc3d1a8e5def6dc0f9a33cf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c1029495-dc2b-58db-b570-a956d5d4788a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832205Z", "creation_date": "2026-03-23T11:45:30.832207Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832212Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0b6837a6b5af391099ddf151ad7a220d2ef95b169d1bcca4e5d9ce121252d918", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c105e7f2-c4cb-5e13-89dc-0a90a6dc5d5b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471713Z", "creation_date": "2026-03-23T11:45:30.471716Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471725Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "80599708ce61ec5d6dcfc5977208a2a0be2252820a88d9ba260d8cdf5dc7fbe4", "comment": "Vulnerable Kernel Driver (aka AsIO.sys) [https://www.loldrivers.io/drivers/bd7e78db-6fd0-4694-ac38-dbf5480b60b9/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c10b25ca-bcf0-5043-bd5f-1212d4ffa66e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832388Z", "creation_date": "2026-03-23T11:45:30.832390Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832396Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "799cb4ddae59494541ad811507438aeb0615ed08a2e903cb66c3dd923044b952", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c10c6634-195b-580e-8abe-8306bf287c05", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826371Z", "creation_date": "2026-03-23T11:45:30.826373Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826379Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4d500f10df3b61bef3060820d27fff5f3f4559ae38c9e591a94d429385f75f08", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c11cdbc5-4973-58e4-b0a4-f2566e2d553f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983578Z", "creation_date": "2026-03-23T11:45:29.983580Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983585Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc", "comment": "Malicious Kernel Driver (aka ntbios.sys) [https://www.loldrivers.io/drivers/eef1fcf4-8c54-420b-8d38-9c5f95129dcc/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c12d3150-a651-5c25-98f6-1e0853cc1888", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614770Z", "creation_date": "2026-03-23T11:45:29.614772Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614777Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "99f4994a0e5bd1bf6e3f637d3225c69ff4cd620557e23637533e7f18d7d6cba1", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c1343970-616f-59a3-9a1a-7f7bccc41961", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819192Z", "creation_date": "2026-03-23T11:45:30.819194Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819199Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "43dc82fd548218f0e916687c997291c8056dfdcc5b5f5616833437f96d806a64", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c1394bff-8005-59f3-b0d0-a44be27e95d7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968493Z", "creation_date": "2026-03-23T11:45:29.968496Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968501Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0b542e47248611a1895018ec4f4033ea53464f259c74eb014d018b19ad818917", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c13f03b8-df2b-5c0c-afe8-731cce49d2aa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604591Z", "creation_date": "2026-03-23T11:45:29.604593Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604598Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7128d13dc4269de832723d4a3a6cfd7e6553576a9e96464583eb8bb5c2f243aa", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c1414d27-3441-5ddf-b95d-7ab1d8b3e873", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489526Z", "creation_date": "2026-03-23T11:45:31.489529Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489537Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0fedac4fe88aef03b44adcd23f94ce04074f75e44bc97ac9978f7f8909023e18", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c1430da3-6b1b-5e66-a30b-94a23d763e8b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145772Z", "creation_date": "2026-03-23T11:45:32.145774Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145780Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5d61e4ea1b1294d5a042feb152dc5f9aa1397c45c3ed583621279dd4e69be418", "comment": "Malicious Kernel Driver (aka driver_5d61e4ea.sys) [https://www.loldrivers.io/drivers/0215d6d6-e0c4-4a11-bd3a-40511f89d736/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c151b015-f21a-5030-9e76-0d847fd8f071", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614198Z", "creation_date": "2026-03-23T11:45:29.614200Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614205Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7018d515a6c781ea6097ca71d0f0603ad0d689f7ec99db27fcacd492a9e86027", "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c1577801-288d-57d6-9062-eb61e423dd18", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160588Z", "creation_date": "2026-03-23T11:45:31.160590Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160595Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab11747906d1db3ab3adeeab2d0f14b20edad4064064f80c3860746448e56608", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c15b6516-cd5b-576f-ab09-746c3fed886b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488187Z", "creation_date": "2026-03-23T11:45:31.488189Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488195Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1132883b99e795f19ce643184b1e3d33e1801fe19c6718ebcf2ca6f257a6b6ea", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c169d28e-ac73-5064-ac6e-6b0d1b4bbfe7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980133Z", "creation_date": "2026-03-23T11:45:29.980135Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980141Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "16e2b071991b470a76dff4b6312d3c7e2133ad9ac4b6a62dda4e32281952fb23", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c169e4f7-e705-53f8-8d26-442e55a60725", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831848Z", "creation_date": "2026-03-23T11:45:30.831851Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831857Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7966e3d959150caebd4dd5dbaeae68fe28013a4043636ccf6350fda847c46bc6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c16a92d0-c385-519e-8145-d7cb56bb80f0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476904Z", "creation_date": "2026-03-23T11:45:30.476907Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476916Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d0b918d766e6ce4218a833314525dd6eaeba83c597e9e1a9efefa7f95ec64a95", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c171752c-95f4-5c24-9ca4-65627d5880a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836789Z", "creation_date": "2026-03-23T11:45:30.836792Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836797Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "247058a37cd8d8e09ac4e498578bf188f32ed2beb8858c8363e0651e1f67a0fe", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c17d0e3e-6b21-5224-8f35-96c8922bbd89", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160513Z", "creation_date": "2026-03-23T11:45:31.160515Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160523Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b2f78cd04121615119903f0aded0bf383e5a8c7fb3f03f34a9b93aa5dbe5c20c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c187152c-19cd-5135-8567-3fcaa493a61f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465821Z", "creation_date": "2026-03-23T11:45:30.465824Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465833Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9a42fa1870472c38a56c0a70f62e57a3cdc0f5bc142f3a400d897b85d65800ac", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c18a3ce5-35c5-5b68-8331-a9d2991ffd99", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969716Z", "creation_date": "2026-03-23T11:45:29.969718Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969723Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fab3f1dbc49bd9f0219156fe49d4423c311f529f7d3653f5f69d2b10b9b0bc98", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c193c419-54b5-5981-aff5-3b73bf831af3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613312Z", "creation_date": "2026-03-23T11:45:29.613314Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613319Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4bf974f5d3489638a48ee508b4a8cfa0f0262909778ccdd2e871172b71654d89", "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c1a6fc31-6b00-53fb-82f9-b931ebf85818", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609593Z", "creation_date": "2026-03-23T11:45:29.609595Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609601Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "610dff57f635693812337813a3f03bb1c3c6b7b6cf5c3f39fbc334ff2a73b69a", "comment": "RobbinHood ransomware malicious driver (aka rbnl.sys) [https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c1b0e20e-7745-5a77-8598-ba3f68b2f610", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819464Z", "creation_date": "2026-03-23T11:45:31.819466Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819474Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "62a27ad4d031df0740e7d56b8a5a3f0cf6049a5e61605ea960380d1d9f3b03dd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c1b19a4a-418e-5039-9ef0-05cf19e4e614", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160175Z", "creation_date": "2026-03-23T11:45:31.160179Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160187Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f8e2c11c898653b7a85003685aeae9e960cc1f562b8a4429dbe0fbfc254764ff", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c1b689fa-3785-57f4-a8ed-265fd004622c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492896Z", "creation_date": "2026-03-23T11:45:31.492899Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492908Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f0436088396d3fda62bc30d7cd1c68f532f538784ec265a54eb42c324d2a8b63", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c1b97270-149b-570e-9be6-dc511bf5f320", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610958Z", "creation_date": "2026-03-23T11:45:29.610960Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610965Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3966d4b1e4f5442b8507f91b6dbde3523657b47fd2945d990249605727d231ec", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c1bb1d40-6c25-593a-ac83-c339a837c519", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972020Z", "creation_date": "2026-03-23T11:45:29.972022Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972028Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "77c5e95b872b1d815d6d3ed28b399ca39f3427eeb0143f49982120ff732285a9", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c1d1ff91-9ab1-5a32-937a-a5db85e3f406", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812169Z", "creation_date": "2026-03-23T11:45:31.812171Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812177Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d7fd0abc3f05184243363889c705786f10fe0bd85023f4cad4a0749ff7c431cf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c1e32740-d924-5edc-b527-eb9def0ebe2b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807446Z", "creation_date": "2026-03-23T11:45:31.807448Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807454Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "20c3b13fd0da01f901fce7daf1eb7531fefb37be6f7a690efc1a22f4889f0199", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c1ec604b-b474-5807-94a7-a57c6fa72233", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976428Z", "creation_date": "2026-03-23T11:45:29.976430Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976436Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c1f07d58-e4f0-5f36-95f9-5705ba0c0479", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456248Z", "creation_date": "2026-03-23T11:45:30.456252Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456260Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "698353791261d5a9ca3245ae8f86334493df554690ec7962895c2affe4050db2", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c1fa2df2-2ca1-5590-9f0a-6f86235409a5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480527Z", "creation_date": "2026-03-23T11:45:31.480531Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480540Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "512110fbb8ddf0c909e5676a94eaf0ad7a0847cc2a70692e8ed96ba82462cfbe", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c1fea586-d297-5e6b-aac3-18082bc390e5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.478773Z", "creation_date": "2026-03-23T11:45:31.478777Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.478785Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1d269d6f031743967b7affefe29f0fb0d2315047676464aa23052da44410b1b1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c209ab55-935e-5ff3-835d-46526c46e8fd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474388Z", "creation_date": "2026-03-23T11:45:30.474391Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474399Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "43eeac44acc2f0aefc02522f1d203b37798fec9232d5b6c5d266badc118a1d8b", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c20bbad5-dc53-56b2-982b-4c73c206bf10", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614110Z", "creation_date": "2026-03-23T11:45:29.614112Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614118Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f035948848432bc243704041739e49b528f35c82a5be922d9e3b8a4c44398ff", "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c20cda53-0c27-5077-bc27-febff0fc74ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980029Z", "creation_date": "2026-03-23T11:45:29.980031Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980036Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4", "comment": "Malicious Kernel Driver (aka wantd.sys) [https://www.loldrivers.io/drivers/892292f9-b87c-40a5-80e5-8c9b02914e8b/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c215410f-0738-59c5-97cf-7472b4576aa7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144141Z", "creation_date": "2026-03-23T11:45:31.144143Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144148Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fb270140b9a9df701906b79419807945bd39aa552524a67a62e89110ce7d2dc6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c215b303-b470-5821-98a2-4b1805df15f4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146988Z", "creation_date": "2026-03-23T11:45:31.146990Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146996Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fc8b53ebef91d234235dca92d368727db634afd4a4cf0f4cecb6eb1fc29260e9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c21907d9-b23d-5529-affd-85088fb3e7cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474854Z", "creation_date": "2026-03-23T11:45:30.474857Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474866Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fed2e6e84e5f7212a86ede773184d97fb11d24b5da26a030c833dd1bec4ec953", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c21b1101-98d1-5890-971e-21aef12051ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147094Z", "creation_date": "2026-03-23T11:45:31.147096Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147102Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5c5718f3ef2a578761ac96209df9ba0d1c5636ea16530a88f2d2bd70e127f22e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c21be22e-404f-5306-926c-d34282d34b81", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813115Z", "creation_date": "2026-03-23T11:45:31.813118Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813127Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7c358142fe85e9e20006a5b85b5ce5f4b09ee6d726be739654ccfe393a6f7756", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c21ccb4a-ec32-5d38-9c87-89109f08d8c9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827236Z", "creation_date": "2026-03-23T11:45:30.827238Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827244Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "87cf6d683238be3246dac8aae352d0ca5197eba5493a98357f32efd954cdd20e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c22b46e8-3414-5573-8256-da6bc14de01d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981839Z", "creation_date": "2026-03-23T11:45:29.981841Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981846Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0de4247e72d378713bcf22d5c5d3874d079203bb4364e25f67a90d5570bdcce8", "comment": "Vulnerable Kernel Driver (aka TestBone.sys) [https://www.loldrivers.io/drivers/be4843ef-a2a8-4a0d-91c6-42e165800bb0/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c2367434-8e90-5aae-8bec-da2d78f0a4f5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500309Z", "creation_date": "2026-03-23T11:45:31.500312Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500320Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7041b742a7332c981f9ad28f3e9c11ef4667ab64242c5e8f3af589ed454c6587", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c239d57c-1c0d-5638-bc7f-7bd9ad989ced", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612457Z", "creation_date": "2026-03-23T11:45:29.612459Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612464Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e777b95e5432b2a7f43d515c7e7a34d34abc530881c833765f634b2449a8910d", "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c23bbf4a-80ae-5e1f-9a38-af08d5e865f7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830095Z", "creation_date": "2026-03-23T11:45:30.830097Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830103Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b56b6cadbf270f86a937878e3383485bd473b81b5afca5561308fa34c6000ebc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c23bc317-3d1f-57fc-98e6-2dc419c756af", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831091Z", "creation_date": "2026-03-23T11:45:30.831093Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831099Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7888b85212909ca68906d64a1f0c3ec48edb86e3b24f0f1545f6980f1c37cbca", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c23f60cd-2c04-55dd-9bbc-e5a2547d4806", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616587Z", "creation_date": "2026-03-23T11:45:29.616589Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616594Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5f487829527802983d5c120e3b99f3cf89333ca14f5e49ac32df0798cfb1f7aa", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c25927f1-2fc3-5b3b-b056-a27c01d21fb0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968758Z", "creation_date": "2026-03-23T11:45:29.968760Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968766Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e8efe2cc534bf32fd7d5413005388125a2f449049c95437eae7c98584c403f67", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c266398c-aa31-51be-a0b2-ea7a10700c7a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830789Z", "creation_date": "2026-03-23T11:45:30.830791Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830796Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b14d3075284ca8e7eba4a2b4dfe6ca26b5e31f753ac33b4934baaaece9b08cf4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c26f404f-841c-5484-874c-c6c5de02b153", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972789Z", "creation_date": "2026-03-23T11:45:29.972791Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972797Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "401ed2d2768707b5c47556774c119f989986a9e2fa88e1e2626f14e22b85e66b", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c2742a95-ac6b-59a0-8f5f-fe5585efde08", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453192Z", "creation_date": "2026-03-23T11:45:30.453196Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453205Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "94c226a530dd3cd8d911901f702f3dab8200d1d4fdc73fcb269f7001f4e66915", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c28e38a4-5fa1-5eb8-8701-01e047946cac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619229Z", "creation_date": "2026-03-23T11:45:29.619231Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619236Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7133a461aeb03b4d69d43f3d26cd1a9e3ee01694e97a0645a3d8aa1a44c39129", "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c2b018f5-4749-598c-b84b-e4bdd71ef414", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815544Z", "creation_date": "2026-03-23T11:45:31.815546Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815551Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c8f3e786fada6226e6765bdd85e1383feb276ba457f4874f5932c9e0ebc176ea", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c2b46b68-33a6-50a4-99c9-d9e2365caabe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473543Z", "creation_date": "2026-03-23T11:45:30.473546Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473555Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "148ca220316fe9a0af2b12ed9528273295009d8568bf4c47fbfd4605f0ce2acc", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c2b9de64-b7bc-59a9-9915-0696085e38ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476079Z", "creation_date": "2026-03-23T11:45:30.476082Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476090Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7f84f009704bc36f0e97c7be3de90648a5e7c21b4f870e4f210514d4418079a0", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c2bc276f-7974-5c52-9b73-4eb008a89007", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144598Z", "creation_date": "2026-03-23T11:45:31.144600Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144606Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "be14b834a7208b4bdfbd972430982b50271cf4eef50b73e36b1ba5f2d47eef3a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c2c57492-388f-561d-8779-989c2498c93e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458401Z", "creation_date": "2026-03-23T11:45:30.458404Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458413Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "37b9fbd6547091b83b2595bb0f9f9035ae95111868a4393aab52bf22087233d7", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c2c6548c-680e-5b35-9e53-db1ab90eac01", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972891Z", "creation_date": "2026-03-23T11:45:29.972892Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972898Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eea53103e7a5a55dc1df79797395a2a3e96123ebd71cdd2db4b1be80e7b3f02b", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c2c77f36-8901-565b-9684-4b8747327f9a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809365Z", "creation_date": "2026-03-23T11:45:31.809368Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809377Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "72ed058bd82712b99fc7f4be1d1d21e2bebb3e00bfa02f6decd88b0a355bbd3d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c2d2eef3-9c16-5345-968b-2828e6108998", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827402Z", "creation_date": "2026-03-23T11:45:31.827404Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827412Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1b64ad2118cbfab21d5033127e54c554abcf83d831bf1b838fbce813a0611b72", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c2ec77ed-0df3-517a-ad26-28ce94297c62", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824138Z", "creation_date": "2026-03-23T11:45:30.824141Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824146Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cbefbb040e8596db4da7450d5823d8708493c1328a57202e86d21b72f7d14eab", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c2f7b5c9-43b5-5f42-b385-58330df686d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479912Z", "creation_date": "2026-03-23T11:45:31.479916Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479926Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "43483edb6a5f8b94df4660b0b7e907d7e9d6aa64de8999c17181e87d58203571", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c2f92672-4708-5db3-8d59-4b34fad11fe0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985502Z", "creation_date": "2026-03-23T11:45:29.985504Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985510Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0527451d72ba02db8479ea69689350cc563b939bb2cc685386719ab32b7e2772", "comment": "Malicious BlackCat/ALPHV Ransomware Rootkit (aka fgme.sys, ktes.sys, kt2.sys and ktgn.sys) [https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c300dbfb-a7db-5fff-9096-cfc2bdce8cb0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460522Z", "creation_date": "2026-03-23T11:45:30.460525Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460534Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c181ce9a57e8d763db89ba7c45702a8cf66ef1bb58e3f21874cf0265711f886b", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c307edb6-2ce6-5c6f-a701-a46e214e8348", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481748Z", "creation_date": "2026-03-23T11:45:30.481750Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481756Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "223f61c3f443c5047d1aeb905b0551005a426f084b7a50384905e7e4ecb761a1", "comment": "Vulnerable Kernel Driver (aka cg6kwin2k.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c31428c3-3159-57dc-bb8a-982f0d64d27d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829149Z", "creation_date": "2026-03-23T11:45:30.829151Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829157Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "58be5999562f2541e29eb5a0890637a4a1b78df9ba96637475772ce4a67da4d3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c3237d36-c384-558b-8653-4fda838c57ae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979030Z", "creation_date": "2026-03-23T11:45:29.979031Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979037Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd", "comment": "Vulnerable Kernel Driver (aka driver7-x64.sys) [https://www.loldrivers.io/drivers/48bc2815-85ec-4436-a51a-69810c8cb171/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c33020aa-b4ab-5491-815d-514375805cf9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145372Z", "creation_date": "2026-03-23T11:45:32.145375Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145384Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e1123b59a801e243a64270d0c6ab1277e5e3afba9c19023807409f53c1b0204b", "comment": "Malicious Kernel Driver (aka driver_e1123b59.sys) [https://www.loldrivers.io/drivers/11a73c42-26aa-446b-8560-43eecb265091/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c33a6738-3af8-5162-8bda-a0d4c42f5d74", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967986Z", "creation_date": "2026-03-23T11:45:29.967988Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967993Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "13b82d81d6eac1a8b2e4655504dabecbd70673cdf45c244702a02f3397fdff9a", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c33e74d6-bd7d-517f-8a60-b158f141b597", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458222Z", "creation_date": "2026-03-23T11:45:30.458225Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458234Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "003e61358878c7e49e18420ee0b4a37b51880be40929a76e529c7b3fb18e81b4", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c34674da-9ffe-5dd6-b627-4a05475a69d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.986101Z", "creation_date": "2026-03-23T11:45:29.986103Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.986109Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6ce1073705194870175a8b9c9ebbbb7ad54df81849b111588ea8aeef910da987", "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c3534a7c-5a06-5327-b21d-a3e0bd091c06", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159474Z", "creation_date": "2026-03-23T11:45:31.159476Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159483Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "997cffe72ff84747a895dd9e18c533cc52d3b655071dcbe24e9834368d6adcf3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c3595160-9bb3-5eb4-af75-b8e3117b56aa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610318Z", "creation_date": "2026-03-23T11:45:29.610319Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610325Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "26e3bfef255efd052a84c3c43994c73222b14c95db9a4b1fc2e98f1a5cb26e43", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c35f99ca-4745-544c-8bf7-9d1e46f9e8d9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622245Z", "creation_date": "2026-03-23T11:45:29.622247Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622253Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f67e60228084151fdcb84e94a48693db864cf606b65faef5a1d829175380dbfa", "comment": "BioStar Racing GT EVO vulnerable driver (aka BS_RCIO64.sys) [CVE-2021-44852] [https://nephosec.com/biostar-exploit/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c365a593-fabd-5d91-9cc2-af65bf473a2b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831398Z", "creation_date": "2026-03-23T11:45:30.831402Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831409Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fa9c83e8ca1ab46f4670b32fb4f43a3dd76bd1d12f650d3122ec51ce6c80dd03", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c384338a-fe77-5c16-9300-aa501bfcddb5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484273Z", "creation_date": "2026-03-23T11:45:31.484277Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484286Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "caea1a15e28a16bb027e18b3c1e7b809f59d773a1f3be77e2fe97affd375faf2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c389d294-a103-594e-9030-04354aabff1f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817995Z", "creation_date": "2026-03-23T11:45:30.817997Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818003Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "abb507455dd1e23e91753f17d6d7a8a5d6572e288f25eb75e4cbdd2e60adae88", "comment": "Vulnerable Kernel Driver (aka sepdrv3_1.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c38c975e-3947-5476-9f8b-f0a7454cc623", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.147003Z", "creation_date": "2026-03-23T11:45:32.147006Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.147011Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8e9f3f58005d62b241874e9790d457d0fbffc101062166f70a5c27aceefdde36", "comment": "Vulnerable Kernel Driver (aka TPwSav.sys) [https://www.loldrivers.io/drivers/c0634ed7-840e-4a7e-8b34-33efe50405c2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c3969cf0-436e-58a0-8600-b77544e7aba3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822308Z", "creation_date": "2026-03-23T11:45:31.822311Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822316Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "181d4651f614e8ae094c77a43785ec9a4627b53d75350ee25ba22bd4d4fba3c9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c39fcac6-ea6d-586a-9968-e2f798685115", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151020Z", "creation_date": "2026-03-23T11:45:31.151022Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151027Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6c5beec296982c6f5ca83adfc9c5f9bc5af81a32abef8b8a15d2df7e21058020", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c3afbb13-97fe-508d-8996-6028b6d7f653", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828902Z", "creation_date": "2026-03-23T11:45:31.828904Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828909Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f3634f9f7ab91b99004b42da85f26fe2b19ad7692a0a49068869a9ece332a3f0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c3bd6b2e-1d3a-521a-a478-c47e36ea54b2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468199Z", "creation_date": "2026-03-23T11:45:30.468202Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468211Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a4d7e16649ce3c7ad9355e8d7418a4c234b3763e262f8ccfbda4bc64a402ed27", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c3bd97a6-a966-5251-b946-e5fbe8c741dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814012Z", "creation_date": "2026-03-23T11:45:31.814016Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814024Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ce251a2b592afefdcae1a9a6458eea982cb84c79fbd7a23d60735e8e2f7cc53", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c3bdb0b3-0b6f-5dae-a2c8-58aae4d53529", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143986Z", "creation_date": "2026-03-23T11:45:31.143988Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143993Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f118e7bd5e3ae74fcd7fdcb71777e30935196495a09bddf01d8f4cc1c0ee5dd3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c3bf4a8d-4187-540d-b69e-34b8d46c7367", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834437Z", "creation_date": "2026-03-23T11:45:30.834440Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834448Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e9f231567cd2ce00d26989d543e91cb869e8b8cf6c215b94cb917f93820c3138", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c3c24a91-c114-5993-9d6d-02165bdfefe3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821726Z", "creation_date": "2026-03-23T11:45:31.821728Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821733Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9ad43b87715587451f01936741b75678a2b35278a2864d72c83fcf2e48e68f7a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c3c47005-de1e-5b12-920d-3de043e9d250", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498837Z", "creation_date": "2026-03-23T11:45:31.498840Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498848Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4a9cca94ebc65c44bcf1a89b9936d2347e18f9f9ce3d40a3c71ae18c49e9b600", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c3c92310-8cd2-5a0c-8a03-1a2596d87198", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499923Z", "creation_date": "2026-03-23T11:45:31.499926Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499935Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "27ad30aeba918e35b292c839c3f844cd8b1d6b2ec4d38c77478a7e3a9bd23a95", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c3d61bd3-ab38-584b-81c8-68fd93ecab0f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.603922Z", "creation_date": "2026-03-23T11:45:29.603925Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.603931Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b1ad1af005bd78e1ea1d1eef5041c2bdb46f60a9baa60f4b7be21f9603f99df0", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c3e09ec0-ac09-51b7-a364-0ec916a482fa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155066Z", "creation_date": "2026-03-23T11:45:31.155068Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155073Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ead5ac6e9b61c92473a152c843a43a028b26485b6287244045fe5c78d34bb832", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c3e810ca-87a4-5f94-ac0d-6ae126ccfbb3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820390Z", "creation_date": "2026-03-23T11:45:30.820392Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820398Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c0a36990f7eef89b2d5f454b6452b6df1304609903f31f475502e4050241dd8", "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c3e81b63-118e-5135-b111-c99a68336455", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826667Z", "creation_date": "2026-03-23T11:45:31.826669Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826674Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4da389eed69a4292233f7ea4929fb1caef53326e36dfb9bb97f4aecac6b2ed6a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c3fe41d5-1c84-5f31-8360-83caf045fda0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826402Z", "creation_date": "2026-03-23T11:45:31.826404Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826409Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5e1c198d16341274b2a4106a7e798856889f1402a41503a763e00cebfcf1c05a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c40ebfd8-61a3-5496-9914-c1e1a99f63d9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477162Z", "creation_date": "2026-03-23T11:45:31.477165Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477174Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "402ebccaad7f4e5c2df2063d2ba33beb15f09c7654bb092e5a2bb93b0660d792", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c417fc94-d1f1-5e75-9de9-2f254abf01b6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144277Z", "creation_date": "2026-03-23T11:45:32.144280Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144289Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4a61add64bbb08af8576aac592fdafe7114b940878babb3ae90bfde26f315187", "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c41f1112-97b7-5b6c-bfdf-154fd3069c8e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822033Z", "creation_date": "2026-03-23T11:45:31.822036Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822044Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea3b808d4eb63d842cfd750ab5d7f7cca460b4fc63b43071af6384a4f1a40516", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c44901e4-5be5-53ad-8bcf-3e62df6c08d4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827053Z", "creation_date": "2026-03-23T11:45:30.827055Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827060Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3ab90e068d05da1a25d846ce1556bf26f62df1afb62ee65096c74009a0abc4db", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c44cb6de-e19e-59d5-973c-0243ce2ce4eb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823986Z", "creation_date": "2026-03-23T11:45:30.823988Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823994Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c0b5d5d75115c273df34b4f496d8a1c401b94c850d9fe0bb8d82d9777d141759", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c45bd53d-9c85-5474-824a-95127c748ef5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495566Z", "creation_date": "2026-03-23T11:45:31.495568Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495574Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "61161913cb2ceb5b103e0dbd79de796a09695f43d8f12d15a674ac88b46a3b75", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c460552c-425e-5fc9-a863-3814a04b6d11", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148347Z", "creation_date": "2026-03-23T11:45:31.148349Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148354Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "88189a4c2b9102a0e80c127cb8441f4034273c91420075edc666622fdbde9940", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c463bb53-8dd8-516e-a5c3-73911e30bd78", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475273Z", "creation_date": "2026-03-23T11:45:30.475276Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475285Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3db84cbf299307b1d3500b50355cf35f63d69c6c56d117335fbef7c84ddcc09b", "comment": "Malicious Kernel Driver (aka e29f6311ae87542b3d693c1f38e4e3ad.sys) [https://www.loldrivers.io/drivers/c00f818c-1c90-4b47-bc29-fb949f6efb65/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c468444b-7cc0-51e9-ac85-e4c6a5b37681", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607883Z", "creation_date": "2026-03-23T11:45:29.607885Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607890Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e50b25d94c1771937b2f632e10eea875ac6b19c57da703d52e23ad2b6299f0ae", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c46b4bc4-5dfe-527b-91d4-dffe3553a51b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828494Z", "creation_date": "2026-03-23T11:45:31.828496Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828502Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2a1808733154e92fbe1ca580ef6b886a52e1720461b0b537b5bbe601e07ae55b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c47402b7-6b03-5296-b5b3-89472fde6735", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611926Z", "creation_date": "2026-03-23T11:45:29.611928Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611933Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ad2477632b9b07588cfe0e692f244c05fa4202975c1fe91dd3b90fa911ac6058", "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c47e7ef3-4951-5449-b3ee-6713d2678478", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973602Z", "creation_date": "2026-03-23T11:45:29.973604Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973610Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "478d855b648ef4501d3b08b3b10e94076ac67546b0ce86b454324f1bf9a78aa0", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c48d2d05-059f-5645-8640-0bf2c53f499a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469037Z", "creation_date": "2026-03-23T11:45:30.469041Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469050Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6fe18adf87e3330799361d49e811c7a35a497423833ad83573588b7878df286c", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c4a1860d-0abe-5d07-baa9-0a0cf1e38252", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157839Z", "creation_date": "2026-03-23T11:45:31.157864Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.158780Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4808b39a5d295c1fb4c10e89f3bfc53f5e049dd1f8933a2e48364036c74214ce", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c4a3ea73-55ee-5f20-bbeb-d0c43f35f065", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814660Z", "creation_date": "2026-03-23T11:45:31.814663Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814673Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd72ff8039a551994b1af86b9cf29cd33a2e262fe87c365462f54b7e5c1e9857", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c4b6a361-f204-528f-b31e-22bd040ac7c7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616450Z", "creation_date": "2026-03-23T11:45:29.616454Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616460Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c2fcc0fec64d5647813b84b9049d430406c4c6a7b9f8b725da21bcae2ff12247", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c4c03d63-fe09-556c-99b6-ad0889a033f0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147024Z", "creation_date": "2026-03-23T11:45:31.147026Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147031Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d0ac54d01c70483d5093a814ed0d6bb92e0b4535559d05f98bce2a23275f209f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c4c4dc37-dcd7-5c10-9016-d008dc180e36", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154804Z", "creation_date": "2026-03-23T11:45:31.154806Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154811Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c3a16a8d1a4656fb6e19d64b01b7c3e31e9b22124c4e284521453550b331ea4d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c4d594d1-93c3-5b9a-b626-fe2514c9fc80", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983543Z", "creation_date": "2026-03-23T11:45:29.983545Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983551Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dbfc90fa2c5dc57899cc75ccb9dc7b102cb4556509cdfecde75b36f602d7da66", "comment": "Vulnerable Kernel Driver (aka cpupress.sys) [https://www.loldrivers.io/drivers/c0645f0f-9b97-4fe9-811e-2e45c250c9ef/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c4da3998-0082-5a8e-b401-9c753aeb18ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827031Z", "creation_date": "2026-03-23T11:45:31.827033Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827038Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ddbd168305b26912de8728c44e8196a1c92c3930fd9871161dbffe6573029747", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c4f511fe-667a-5c2f-a6d5-ff87de3fb959", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458809Z", "creation_date": "2026-03-23T11:45:30.458822Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458831Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5173b9240e9bcd0d9b25290bb0aa45d156fd5a0080841515ab44f61e0e6bd894", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c50163d2-aeaf-5c08-999d-d70c7dad9ab6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494437Z", "creation_date": "2026-03-23T11:45:31.494440Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494446Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "88574aee96270d0d883f9dc11ee5682209640e18f8fea72fa176b9ab6a8f28ba", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c5019506-076a-5d49-ad69-e5ce01e386b8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829752Z", "creation_date": "2026-03-23T11:45:30.829754Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829760Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "71b7b595246923bfbd1adcc9f22988c3793a99a9adc6afe435604074c57c6d3d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c50ae9d1-bac1-5d26-a51a-9dc32138e6b2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829289Z", "creation_date": "2026-03-23T11:45:30.829291Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829297Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fe78f1d6affe100c7726b86096c409d4b6d2ca3ce71ceae43d2aabf174f55ab2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c50b3386-4275-5ced-92c6-e8bf0cbc54d2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813400Z", "creation_date": "2026-03-23T11:45:31.813403Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813411Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e420caccc500b07462e1fef97a2fa67ca2d10ec8c6a2f6fd6917dcc988b15dde", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c50b50fd-3709-503d-aa22-d02ff92c3e3b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141219Z", "creation_date": "2026-03-23T11:45:31.141221Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141226Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1d8509e82d8506f12b9f8cf6916eb58e15d92b0efb2f300bf5188c4ea354f28a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c50fad14-e67b-5d5d-97e5-927940c67342", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146008Z", "creation_date": "2026-03-23T11:45:32.146011Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146016Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d342b077ec4b0fd3ced62d1e91911ac274c708e4ee513f52ec8f2cdd99d851f3", "comment": "Malicious Kernel Driver (aka driver_0a636606.sys) [https://www.loldrivers.io/drivers/82087b26-b649-4ad1-a353-3a225c757ff7/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c511daa9-7ab4-501a-9914-52f5c4f344ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607417Z", "creation_date": "2026-03-23T11:45:29.607419Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607424Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "03e0581432f5c8cc727a8aa387f5b69ff84d38d0df6f1226c19c6e960a81e1e9", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c517633c-9f86-536a-b5f5-d981528d275a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.142632Z", "creation_date": "2026-03-23T11:45:32.142634Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.142640Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "26ed45461e62d733f33671bfd0724399d866ee7606f3f112c90896ce8355392e", "comment": "KingSoft Antivirus Security System Driver (aka ksapi64.sys and ksapi64_del.sys) [https://github.com/BlackSnufkin/BYOVD/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c5257184-85e1-5c3e-8e45-fd0bde106e11", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480638Z", "creation_date": "2026-03-23T11:45:30.480645Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480656Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd5bff03256b98922b47a2725128540953a0ac15bd2be204196917d0c707a9cb", "comment": "Vulnerable Kernel Driver (aka PDFWKRNL.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c525aa61-ce66-55aa-939c-6df7c4443545", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811417Z", "creation_date": "2026-03-23T11:45:31.811419Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811425Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "071b0aa6f5eafe164f0642cf7cbb2ca27f890ce5210133efa2fd2e5c3ec60c88", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c52d3080-6a79-5c30-8c36-b7f1ed4ea1cd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836415Z", "creation_date": "2026-03-23T11:45:30.836417Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836423Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c22480fd746fd8fcd2fb1cc8bcd599759805be1b50e1ff0acefdb6395f1659ab", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c52f0d3f-fb35-59a4-9d25-0a7505ebd61b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150036Z", "creation_date": "2026-03-23T11:45:31.150038Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150043Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "59e264faab9e0716c5ebcdc8feb361f9f82a616840f6149fb7591949b697c4cf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c530da92-e1bf-5f7b-a67c-1896379e8746", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619700Z", "creation_date": "2026-03-23T11:45:29.619702Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619707Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "326b53365f8486c78608139cac84619eff90be361f7ade9db70f9867dd94dcc9", "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c53438da-046e-5ee7-9044-5eaba2d518d3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458927Z", "creation_date": "2026-03-23T11:45:30.458930Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458939Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "71701c5c569ef67391c995a12b21ca06935b7799ed211d978f7877115c58dce0", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c53cc170-7ff5-50a0-b1ae-8c7fee6ee915", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476499Z", "creation_date": "2026-03-23T11:45:31.476503Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476513Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "037701c562e9c44897b9e37b2e5cb4f16b5420e1bc17ffc2d4d53f314400275e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c55590fa-a151-554a-9f90-c5b100baf586", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985777Z", "creation_date": "2026-03-23T11:45:29.985779Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985785Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b8807e365be2813b7eccd2e4c49afb0d1e131086715638b7a6307cd7d7e9556c", "comment": "Malicious Kernel Driver (aka wfshbr64.sys) [CVE-2022-42046] [https://github.com/kkent030315/CVE-2022-42046] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c559153d-1f34-50fe-aa02-a6b6f5e650ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490437Z", "creation_date": "2026-03-23T11:45:31.490439Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490444Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d48cf5f3deb5404e2020f2bf68c4c7f36b183b0c0fdcbb4e99bfef9d10ce51d0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c56cc959-3c0f-506e-b50d-3b0dc0f19bb2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826729Z", "creation_date": "2026-03-23T11:45:31.826731Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826737Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4215f0b6a23010731723be817cbd4258377f183b4253496917013cb471b9099a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c5742ce7-6f64-5aaf-981c-a159b91a1545", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812857Z", "creation_date": "2026-03-23T11:45:31.812859Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812865Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "97a1b74fb41d4ef4838b85283f096151fc675edaa5e2190200f17c25583162d8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c57741f6-fc0c-5d7f-af50-04d454d2b358", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150789Z", "creation_date": "2026-03-23T11:45:31.150791Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150797Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "202a6dfbf79ffe81b5c6528989eb2e1654a396dbbbaa5c7579e0e93c64869e16", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c57bd092-c111-5a12-898e-c0cc62bc2c8d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472409Z", "creation_date": "2026-03-23T11:45:31.472412Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472421Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1332d398824663df3b9bef3bb5f26fbeac2883c49b2ca832a9c4db4c572eabc6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c57ca051-ec3c-5e24-8488-399c1c32691f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461526Z", "creation_date": "2026-03-23T11:45:30.461529Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461538Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7113dee11925b346192f6ee5441974db7d1fe9b5be1497a6b295c06930fdd264", "comment": "Vulnerable Kernel Driver (aka netfilterdrv.sys) [https://www.loldrivers.io/drivers/f1dcb0e4-aa53-4e62-ab09-fb7b4a356916/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c584c05e-bbd7-5c27-81dc-36e60fd669bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492268Z", "creation_date": "2026-03-23T11:45:31.492270Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492275Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0386ed36fdd44d7645fe5ef420d885a2a1e74cb77074274734cd36dd3fbb10f4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c5882499-3776-58db-8c3f-b7d80449e972", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473779Z", "creation_date": "2026-03-23T11:45:30.473785Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473797Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1cad825ef477bdbafda6be0bbe9149d915560077d9017655fdb7f2233da9ad01", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c599e9d4-4ff6-5842-aa0a-8fc6d5e8e57e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143042Z", "creation_date": "2026-03-23T11:45:32.143044Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143049Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6c6a4d07e95ab4212c2afefcb0ce37dc485fa56120b0419b636bd8bd326038c1", "comment": "Vulnerable Kernel Driver (aka msr.sys) [https://www.loldrivers.io/drivers/ee6fa2de-d388-416c-862d-24385c152fad/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c5a40e4b-69e6-52f6-b7c3-75af42a9a819", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835825Z", "creation_date": "2026-03-23T11:45:30.835826Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835832Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "49a0e50f8d434282b7393389a08e55aa430c2bfadfaafc5d747fcadcdb9869ed", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c5ad0236-4dc3-5056-96a5-e3af9336e172", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982177Z", "creation_date": "2026-03-23T11:45:29.982180Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982188Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0a3090ae46b3ce5f4cc6ba2d4dd265033e23c813d5c1e9c7a20a84d5d167dae3", "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/b03798af-d25a-400b-9236-4643a802846f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c5ae0724-cdd1-5570-997e-c7645c559254", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455108Z", "creation_date": "2026-03-23T11:45:30.455111Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455120Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "93d99a5fbfc888c0a40a18946933121ae110229dcf206b4d17116a57e7cf4dc9", "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c5b47207-b5ce-53b8-9df8-e0571a109f3f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816062Z", "creation_date": "2026-03-23T11:45:30.816064Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816070Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5cbe195ef5e86f705c8290602ae688e1835e7385ed68ae264c4795e425c1645f", "comment": "Vulnerable Kernel Driver (aka ecsiodriverx64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c5c497cb-b547-5844-961c-6893f2428abf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490574Z", "creation_date": "2026-03-23T11:45:31.490576Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490582Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea66dc3a26e2e6a325f2e738cf22fbb90069d30ee2d678abe9ce89ede145834e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c5ce6fab-58a5-5a25-97d9-03cf56029eed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606226Z", "creation_date": "2026-03-23T11:45:29.606228Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606234Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6b830ea0db6546a044c9900d3f335e7820c2a80e147b0751641899d1a5aa8f74", "comment": "Vulnerable Kernel Driver (aka PanIOx64.sys) [https://www.loldrivers.io/drivers/93c84c08-4683-493d-abf7-22dc2d1cb567/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c5d3ef2a-d9f6-510f-9847-e89d3e98b3e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814066Z", "creation_date": "2026-03-23T11:45:31.814069Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814078Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "89f59c4e933d8d39133a7c6505b28c774f72a92234d4a4228f17834dc7389307", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c5d40ff1-8f13-5354-a023-926a43dc0fa4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621350Z", "creation_date": "2026-03-23T11:45:29.621352Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621358Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "906d8412b357379db9512e3f584fcda1f788acc1337e5b4d4eff5e6fa59324a6", "comment": "ASUSTeK vulnerable physmem driver (aka AsIO64.sys) [https://www.loldrivers.io/drivers/79692987-1dd0-41a0-a560-9a0441922e5a/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c5eff58b-3ced-524d-b433-4e1046cbe0fb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832764Z", "creation_date": "2026-03-23T11:45:30.832766Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832772Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "286a58f44c92c7d30f0aa61c959889a439e93cbc487f447306be06b20825b7c1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c612c7df-d9f9-5551-8eb7-3ff8eb679766", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618133Z", "creation_date": "2026-03-23T11:45:29.618135Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618141Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "79aa2cedd1b8415ba6d00f4b3601e2363c8bdd07f860a3b8de010f9e5187c0e9", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c61ef844-42bf-569f-b0be-ee208967a37e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156860Z", "creation_date": "2026-03-23T11:45:31.156862Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156867Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1d6c2b4360c50e865572f736c262601b8ae92ebea8c2d4428dc6dddefa2a570d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c62259cb-056a-530e-a73a-e56fb274c675", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820408Z", "creation_date": "2026-03-23T11:45:31.820411Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820420Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cfb9e69e73e12b098be099971e13f41d5b1de3509c0b3578a1192f6cd28d73fc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c6230b77-721b-530b-b10c-1ffdb6ce1ce1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978493Z", "creation_date": "2026-03-23T11:45:29.978495Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978500Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9ce44d1643bc4d87e5029a4927613035bbd96b4e45a2400aed987396115791f7", "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/a7628504-9e35-4e42-91f7-0c0a512549f4/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c62b1b04-67f9-5b6a-9cc4-58bbee85d03a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826561Z", "creation_date": "2026-03-23T11:45:31.826563Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826568Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "24d83f41ff581dc60a415e120a116d5eff990ef1b69aa9fe789fb3267a426b0a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c646f6d8-0f0b-5918-a915-84669bdf6b85", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622332Z", "creation_date": "2026-03-23T11:45:29.622333Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622339Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ac63c26ca43701dddaa7fb1aea535d42190f88752900a03040fd5aaa24991e25", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c64967b4-9f69-5453-93e3-4ab401019d71", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620727Z", "creation_date": "2026-03-23T11:45:29.620729Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620735Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a56c2a2425eb3a4260cc7fc5c8d7bed7a3b4cd2af256185f24471c668853aee8", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c6540105-56a5-53b6-bf42-786684afeb95", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822159Z", "creation_date": "2026-03-23T11:45:31.822162Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822170Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e4d236ed7c038b4e10fbe8450ef16a742e8d676a3ace46b277d362afa353f5b5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c65ad857-a81f-5b4b-9000-16b474a59930", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972125Z", "creation_date": "2026-03-23T11:45:29.972127Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972132Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "de3597ae7196ca8c0750dce296a8a4f58893774f764455a125464766fcc9b3b5", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c6902eef-c776-5c7c-806c-8815ef29c1aa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819620Z", "creation_date": "2026-03-23T11:45:30.819622Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819627Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a47555d04b375f844073fdcc71e5ccaa1bbb201e24dcdebe2399e055e15c849f", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c694bd3b-3829-5964-91c9-5ce270c0c7c4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835463Z", "creation_date": "2026-03-23T11:45:30.835466Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835474Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ac258fa5a7211a4785242948f9055eca6e7177ccbd7b8d109c18d09d8db1e1d4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c6a67b3b-8d8e-57df-a827-271916379d95", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606209Z", "creation_date": "2026-03-23T11:45:29.606211Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606216Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9d5ebd0f4585ec20a5fe3c5276df13ece5a2645d3d6f70cedcda979bd1248fc2", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c6aa65a4-cc68-5b6e-aae7-8c80a29eb84b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490802Z", "creation_date": "2026-03-23T11:45:31.490805Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490814Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9d0ad33174b9749167b5f5433429c01e2628772e283913602ac0b912b12bd54f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c6b1f2eb-f20d-5c37-b0e1-91e329f78a62", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479350Z", "creation_date": "2026-03-23T11:45:30.479352Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479357Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2bb0418dcfb3fa15f01220dc039f2c9ad4dc12eb7f0396deaa9b2e81cb5e77e9", "comment": "Vulnerable Kernel Driver (aka AsrAutoChkUpdDrv_1_0_32.sys) [https://www.loldrivers.io/drivers/02e4a30f-8aa8-4ff0-8e02-1bff1d0f088f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c6b9bc7a-20ac-52cb-8548-ec2cb9a2ab9b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829663Z", "creation_date": "2026-03-23T11:45:31.829665Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829670Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a0a7160d94f89e3d8e05e60e0d83effe9cf7eb4ec57332262a9bcbe8d2a28c03", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c6e3f4e4-982b-5f84-b191-18cdf6292cc1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466836Z", "creation_date": "2026-03-23T11:45:30.466839Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466848Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "773b4a1efb9932dd5116c93d06681990759343dfe13c0858d09245bc610d5894", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c6ea4fde-ed4a-5c04-95a1-9f10bf16b514", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622122Z", "creation_date": "2026-03-23T11:45:29.622124Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622130Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "faa08cb609a5b7be6bfdb61f1e4a5e8adf2f5a1d2492f262483df7326934f5d4", "comment": "Vulnerable Kernel Driver (aka capcom.sys) [https://www.loldrivers.io/drivers/b51c441a-12c7-407d-9517-559cc0030cf6/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c6fce826-ca27-5c3f-b46a-7cd1694c5e80", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144305Z", "creation_date": "2026-03-23T11:45:31.144307Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144312Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "614885fc4266dd1f9c226122b53cb75091160eadad62fe49847a700402d3d2e9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c6fe2be1-565d-5e3b-9ae8-fb49b1669d71", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980550Z", "creation_date": "2026-03-23T11:45:29.980552Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980557Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a9e0f35da47fe91d887a28a0670d8e79ceef7c61ff6d9af3d0568a9737fe0673", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c70086a3-55d7-5b4c-8f98-6caca139a5ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458372Z", "creation_date": "2026-03-23T11:45:30.458375Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458384Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1d640783395631c1b4878ac7945f227c4c4f64fe26dd30cbed755dc440931e85", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c707ff43-a1f1-5727-b9ed-a8bffbd035ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483436Z", "creation_date": "2026-03-23T11:45:31.483440Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483450Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d05196b08b66c4bf94dd48b6ff4f5702af5ce08c9e8cb40d7003a5be36636adb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c708acf4-da75-5da9-a438-6f36920f4302", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455669Z", "creation_date": "2026-03-23T11:45:30.455673Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455682Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ac08a6035cfcafdac712d7c3cf2eef6e10258f14cee6e80e1ef2f71f5045173", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c71cd79f-8bd4-5d3d-a6cf-c9f3c6df82ea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466495Z", "creation_date": "2026-03-23T11:45:30.466498Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466507Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "95e5b5500e63c31c6561161a82f7f9373f99b5b1f54b018c4866df4f2a879167", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c7282470-80ce-5051-a8bb-0c508242200e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826262Z", "creation_date": "2026-03-23T11:45:30.826265Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826270Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c360ca22ac7cc6d6d307d7bfb8179021942d5d80b32536cf644753a4b3201139", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c729f119-7a95-5ae4-910b-5a47a3c965b2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160685Z", "creation_date": "2026-03-23T11:45:31.160687Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160693Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "04d1544916acf49af24dde775f6a733f9e6e6b9ecc15205429c9e651e5825ee6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c73163f2-a977-548c-8268-6feed478acc2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831695Z", "creation_date": "2026-03-23T11:45:30.831697Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831702Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4a3cf88acf373c48ce7b9994d9178b167c26b78925bec161179c2b67d57cf438", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c73980bc-4860-517e-97f4-2d51f6d7eb4c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497633Z", "creation_date": "2026-03-23T11:45:31.497635Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497641Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "32b31efcb4501bbf20ced801dbba29f6bddccf7ff67faa593fc97025ff37f41f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c73b6387-005e-51c7-8d67-ac67f70a17eb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610194Z", "creation_date": "2026-03-23T11:45:29.610196Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610201Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a13578aa1c9896c3753047ea05fd6a98af11044a544b0ad641bf3e15369c7601", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c743cc7b-ffde-5b7f-874d-14ad08b8c347", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461381Z", "creation_date": "2026-03-23T11:45:30.461384Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461393Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d8ff25255202321bd00f7aa792800e1fb7aab506dca771a4a8e2cc1af265fa15", "comment": "Vulnerable Kernel Driver (aka sfdrvx64.sys) [https://www.loldrivers.io/drivers/5a03dc5a-115d-4d6f-b5b5-685f4c014a69/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c74ec9dc-7e37-584f-94ca-618dd7307e68", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814235Z", "creation_date": "2026-03-23T11:45:31.814238Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814246Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "66687204c5683cd336e2af70f36f4bace8f1ea140617586f2bd923d2dcde76b5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c7533662-92f0-5719-a8a8-2bb1abf870ed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498415Z", "creation_date": "2026-03-23T11:45:31.498419Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498427Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e37c23ba30bfbf296bc6ff82cebd5a007f96e512dce4c384e9330c99b4474d24", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c758dfb4-8387-5019-aa04-9be63554c24d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148852Z", "creation_date": "2026-03-23T11:45:31.148854Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148860Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "81430b45a27126a4de491b6afbdd4dcb93b4a03c92490735fa412bfdd907a6ac", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c75a0cfd-fc25-5a39-8d76-3c93ee5474fb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153310Z", "creation_date": "2026-03-23T11:45:31.153314Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153322Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dc740973f3bb30cdc702f350fadb92a7bfd6b68b1625e96b16c15faadc589e32", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c7630799-cca9-5177-abed-886926039931", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455528Z", "creation_date": "2026-03-23T11:45:30.455532Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455540Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ec9bd7fb90c3a2aa4605bd73fe1f74399e2cda75fd4c5fff84660ad4f797c4fe", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c764d18c-4400-504c-9778-b43102007609", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971767Z", "creation_date": "2026-03-23T11:45:29.971769Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971774Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184", "comment": "PowerTool Hacktool malicious driver (aka kEvP64.sys) [https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HackTool.Win64.ToolPow.A/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c768da48-5ff7-57b1-8771-facb010b3644", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143290Z", "creation_date": "2026-03-23T11:45:31.143292Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143298Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "688420dc64baecc92f9326418e6f178f60c5468a333ecd68f11618aab2f9612a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c76c3997-a1f6-56f4-ac8a-10635632ef19", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463585Z", "creation_date": "2026-03-23T11:45:30.463589Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463598Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "30e083cd7616b1b969a92fd18cf03097735596cce7fcf3254b2ca344e526acc2", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c78ea98d-18e1-5e27-9d4a-a8165fb0cefb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473425Z", "creation_date": "2026-03-23T11:45:30.473429Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473438Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "84c5f6ddd9c90de873236205b59921caabb57ac6f7a506abbe2ce188833bbe51", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c796c22d-ab65-594d-8731-8ce2d9eaa5ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159616Z", "creation_date": "2026-03-23T11:45:31.159618Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159623Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "722f0f8b1c285e438c4b679d9db4372c6235ee6886a0bd05222db7dfe59497d1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c7b995d8-f087-57da-8a52-dd073f2b18b9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974264Z", "creation_date": "2026-03-23T11:45:29.974266Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974271Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3847a1ed764ba25361a1748761fd9a1cbb65e42db00094f8ad6def9ac5da4116", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c7bca650-ec00-5115-9c31-60c250eb62c9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473689Z", "creation_date": "2026-03-23T11:45:30.473692Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473701Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b5c8521c00f0a9003d3f91abb0b881e8657ba5f5cf74a1223a88499a85916e68", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c7c7212a-a7bf-59cf-b59b-ac3a55c40888", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818651Z", "creation_date": "2026-03-23T11:45:31.818655Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818663Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2891d9f9bd5037598ad6441fb92fbe283afcd5b538f022583cf1bbb881d7a693", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c7d38e76-8ce5-5909-86e1-9edb09c7c4f6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152109Z", "creation_date": "2026-03-23T11:45:31.152112Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152120Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "23c787b0a5c706dedf083f0d219ef18ec07a62b33bcd6016e2e66d0b7b3009cc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c7d40069-2da6-5e1d-94fe-8303eace72bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488379Z", "creation_date": "2026-03-23T11:45:31.488381Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488386Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2843834ebfd4c0bc906b90a2f8be6e2b0ced788b8a26296536bcaa8be9ee132f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c7db2e31-63dd-52ea-9063-4a214a529482", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608282Z", "creation_date": "2026-03-23T11:45:29.608284Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608289Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7281a3b0fa9a17b45fb5f2b6ab31e521495a524ad040dfe5591394952a8d5c81", "comment": "Vulnerable Kernel Driver (aka STProcessMonitor.sys) [https://github.com/ANYLNK/STProcessMonitorBYOVD/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c7dcdc0b-135a-5f74-968b-701d76ab3af4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145272Z", "creation_date": "2026-03-23T11:45:31.145274Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145279Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "34028d77b89865fca9790769f3f2e8feabd3be85d905ce4abd3f57b1b72561e7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c7e1bc65-5161-5f0e-82ce-6c50ad5f2c7c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973637Z", "creation_date": "2026-03-23T11:45:29.973638Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973644Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4e37592a2a415f520438330c32cfbdbd6af594deef5290b2fa4b9722b898ff69", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c7e9a127-fbf0-513c-9931-eaa843568bbe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818434Z", "creation_date": "2026-03-23T11:45:30.818436Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818441Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d3b5fd13a53eee5c468c8bfde4bfa7b968c761f9b781bb80ccd5637ee052ee7d", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c7f4d28b-0ff5-57e9-9251-25d24d17dba7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152185Z", "creation_date": "2026-03-23T11:45:31.152188Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152196Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "25b6f65c07b83293958c6f1e36d053b1d39c5dde864fde5cfc1834ecca591139", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c7f53393-3aff-5801-9092-1271c2a54d08", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820124Z", "creation_date": "2026-03-23T11:45:30.820126Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820131Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "14a0a9fe317192b54fda1516f46af78e6aabac0cf050bf18ec1e5ddaefd8e051", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c8097ad6-8b0b-5aea-87fd-975054f83666", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828112Z", "creation_date": "2026-03-23T11:45:31.828115Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828120Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd3b251ac86c22d91ab802841869285776c07e1d51c8b813e1538a3875396e12", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c80b8259-83ab-54da-ab5b-22a088c4ed4d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969238Z", "creation_date": "2026-03-23T11:45:29.969241Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969246Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a5a50449e2cc4d0dbc80496f757935ae38bf8a1bebdd6555a3495d8c219df2ad", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c80e7c1a-7902-5fb3-a4b2-9afea19044f2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823731Z", "creation_date": "2026-03-23T11:45:31.823733Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823739Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "303f52270ee7b8c4e3c2256e7d3710004f8dc6a753fa0ec9d7aadf863e91f171", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c816e426-59a8-5b52-a894-046f53b0e987", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823626Z", "creation_date": "2026-03-23T11:45:30.823628Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823634Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a423b34233d44c6ca5f2e33aa47e645dc431c71a642e0b0b40f2f2f0d48e8198", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c81c2ce1-fabd-5d52-af0f-f4a23bdd58b2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834668Z", "creation_date": "2026-03-23T11:45:30.834672Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834680Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "756388618fb0ac8c172bc08ab17bbfaece56a980f70ab4cd60a65ca1488b1799", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c824b544-8a10-52ad-b8fa-955ac0b3f9cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818962Z", "creation_date": "2026-03-23T11:45:31.818965Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818974Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bd9da6db9c9ab066e44cc1653ad2bf817492850afd95b838df7f19b92254a5a2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c82be96f-332a-50e7-a1c2-0dbdbbd9d436", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819602Z", "creation_date": "2026-03-23T11:45:30.819604Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819610Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b8321471be85dc8a67ac18a2460cab50e7c41cb47252f9a7278b1e69d6970f25", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c84d262a-aba9-517d-834b-e2c8cbcb40ad", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160221Z", "creation_date": "2026-03-23T11:45:31.160223Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160228Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d8aec725fe23677aad785a819400da5c2bc8436804a965a256806ff6e37bb19d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c8521409-d970-5d97-90e8-eaf88d7fe442", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827212Z", "creation_date": "2026-03-23T11:45:31.827214Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827223Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "26dde0eacfe6d99cd59ccb6e47597c9765489e30ecf9a27ea0be023fc31b019e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c854a0fb-9a3d-5639-8af9-fd3856fd379d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617024Z", "creation_date": "2026-03-23T11:45:29.617026Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617031Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5167b33a95b4db0a1244cb3b95d4024587d9a5a95222babb033210e6b111d2fb", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c858192d-5477-5358-8aff-c3bacbc6085a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489230Z", "creation_date": "2026-03-23T11:45:31.489232Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489239Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7626cbd757986a641705d133823994b458a16d7e93901e3bef15b4ce6cb54be2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c8632ad8-a407-5905-bafe-1f547c817fca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143615Z", "creation_date": "2026-03-23T11:45:31.143617Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143622Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e88d6d62ec6d4ee772fabb2d5bf4844cf55c6a1d87db692ad30a9660089d96d1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c86c1719-503b-5865-bd8c-bc16a9fd2304", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978066Z", "creation_date": "2026-03-23T11:45:29.978068Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978074Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c", "comment": "Malicious Kernel Driver (aka ntbios_2.sys) [https://www.loldrivers.io/drivers/33a9c9ae-5ca3-442d-9f0f-2615637c1c57/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c87ce225-1ba6-53d5-b2f9-9cb59581830a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609719Z", "creation_date": "2026-03-23T11:45:29.609721Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609726Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8e88cb80328c3dbaa2752591692e74a2fae7e146d7d8aabc9b9ac9a6fe561e6c", "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c898de3c-fba8-5115-9959-88940ccb0e1f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497510Z", "creation_date": "2026-03-23T11:45:31.497513Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497519Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c9932bb8d070f8ee18b54607ad25d347e9a5464bbf46f128be30e5126b5b8ed", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c8a60329-a39a-512b-b1b7-cb4b238fc7e9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485417Z", "creation_date": "2026-03-23T11:45:31.485421Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485431Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "188ee7fda1d997b4390bfda1c2fc173d5eb6f1a47865a9e0ca62807a7405ebb2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c8a6cde7-d099-5f90-9837-f5af874a1526", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454565Z", "creation_date": "2026-03-23T11:45:30.454568Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454577Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "15d44fa77f8d922b5cf03425116c394eefc20ae9a082d3d7f10e68b832be36e7", "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c8a8c418-975f-5daf-9e55-320b76eb97ad", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983981Z", "creation_date": "2026-03-23T11:45:29.983983Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983989Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e466e2bf4e190edd8717f6e8466b77a66b3304f5ae1458ca4400025a869fdfd1", "comment": "Vulnerable Kernel Driver (aka LMIinfo.sys) [https://www.loldrivers.io/drivers/a02ee964-a21e-4b08-9c98-a730c90bfd53/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c8c0cbf0-2673-54b3-85a9-181c1d100d51", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823500Z", "creation_date": "2026-03-23T11:45:31.823503Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823512Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6df12669f7e96e72ef5cbb3b8bd1dfc2d359a0023f3c9d216c5fbdb84a44c2ef", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c8ec34d0-4dc0-53f1-aa4c-9b9a93f89af8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622579Z", "creation_date": "2026-03-23T11:45:29.622581Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622586Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8939116df1d6c8fd0ebd14b2d37b3dec38a8820aa666ecd487bc1bb794f2a587", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c8f1ec12-08ea-577f-820f-ec3ecde62bc2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153424Z", "creation_date": "2026-03-23T11:45:31.153427Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153436Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8908a5eea68b2671143bd4f5e87d941fbf037693b7bdf20a3fa10783d0061e5e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c8f64da6-f191-521d-ad8e-adfa0bee29ea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146911Z", "creation_date": "2026-03-23T11:45:31.146913Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146918Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0d32183f339f98b5d4d3e6b729c75bb354d9220500fe93c4f169be22b1bde50a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c8fc34a8-268b-5af5-bdfa-3daf4597ceaa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484302Z", "creation_date": "2026-03-23T11:45:31.484305Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484314Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c318bdbf026513af53c16b81e77e1bb37c98b78e1b78d23f1abb6257c60ad29", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c8fef551-ae86-5821-8a81-294147a66fd1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474118Z", "creation_date": "2026-03-23T11:45:30.474122Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474130Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b32ef857f7603af679fb794432c9c1ecab0ca7a0ac2ae4dd4fd5e80e05d8bb30", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c901489a-86a3-5c9f-8563-524806a96cbe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967746Z", "creation_date": "2026-03-23T11:45:29.967748Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967753Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "55881408b405194f63c04de52b1701d964f942ac191ed1fc2e572159e7e94476", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c908ac86-caa8-5135-80a2-0e3f2bbe39b3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981995Z", "creation_date": "2026-03-23T11:45:29.981997Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982003Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bd243e33fa80f4bd6010c23ecdf94b6008fee30df248255dcfe014c91f2ce2af", "comment": "Malicious Kernel Driver (aka wantd_6.sys) [https://www.loldrivers.io/drivers/127cde1d-905e-4c67-a2c3-04ea4deaea7d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c919dafb-bf72-5844-b498-5993d9ca714f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825751Z", "creation_date": "2026-03-23T11:45:31.825753Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825758Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d4f002bfa2eca3bd8f1940c4f8dcefe4db1934d50bd8612eafe6244b1fff9884", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c924f8df-5475-58cd-a569-1ee79a407ba9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475387Z", "creation_date": "2026-03-23T11:45:30.475390Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475400Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "40263b08b3c3659529ab605d1daa3033db0fdc4b19c26aa375be0c19686807e6", "comment": "Vulnerable Kernel Driver (aka mhyprotnap.sys) [https://www.loldrivers.io/drivers/75a66604-f024-4f11-8ba7-fdd64a0df3bf/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9547e16-86aa-560f-bd9f-1fecc37c2810", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487576Z", "creation_date": "2026-03-23T11:45:31.487578Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487583Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "74a3e72507f758e4d2eca2462db3a24e59d6cec48d7f9600b9f40c09a385d395", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c95bd541-e9c1-5dee-bbc4-c1c2e720ab6f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473281Z", "creation_date": "2026-03-23T11:45:30.473284Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473293Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b8ffe83919afc08a430c017a98e6ace3d9cbd7258c16c09c4f3a4e06746fc80a", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c95c795d-cc4e-56f3-851b-de98a8abc372", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618659Z", "creation_date": "2026-03-23T11:45:29.618661Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618667Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c2f5db10a59577aeff8550a58f9d96ce8aa8c1a13f96814cd0f4bb03274968e9", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c964705f-238e-53ef-a9bc-bcc741943241", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819390Z", "creation_date": "2026-03-23T11:45:31.819394Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819402Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "82fead4660edf201ea2af810fe6e1df22636c736b5165575b5f4a6ad5a4a050d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c96bdbfb-02fe-5bfd-a6bd-8cef6855df6d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614334Z", "creation_date": "2026-03-23T11:45:29.614336Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614341Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d8b58f6a89a7618558e37afc360cd772b6731e3ba367f8d58734ecee2244a530", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9738c1d-b259-59fd-9d8f-f32e49189254", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155770Z", "creation_date": "2026-03-23T11:45:31.155772Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155778Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "887c3e1fb16b423a347fe8e9f46fd67ba7fab3f757d81c834cb26cc3ef7104cd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c97e7f4a-062d-550d-a4e8-ef0741e45ca4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818631Z", "creation_date": "2026-03-23T11:45:30.818633Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818638Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e9919d1546c7dfef62ff01b87f739812de0a57463611c12012013ae689023ce1", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9815b78-1b4f-523b-bccc-81d635dd7a50", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835537Z", "creation_date": "2026-03-23T11:45:30.835539Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835545Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ec22aea52bdb4195c2f898a8ad3604493bdc28497e7c5ad12a08bc92c8748461", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c990cedd-13f3-590f-9cae-1aaa570c12b9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146114Z", "creation_date": "2026-03-23T11:45:31.146116Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146121Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c2a48a71d21867d3d1406a6d82c239b857f3c3c5598389869753ec911847d95a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c99eeea0-6fe0-5d5d-9030-941f3562a441", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821272Z", "creation_date": "2026-03-23T11:45:30.821275Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821284Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a34e45e5bbec861e937aefb3cbb7c8818f72df2082029e43264c2b361424cbb1", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c99f9cb2-2b43-5bee-98d2-3deb3d30b994", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822836Z", "creation_date": "2026-03-23T11:45:30.822838Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822843Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b3d1bdd4ad819b99870b6e2ed3527dfc0e3ce27b929ad64382b9c3d4e332315c", "comment": "Vulnerable Kernel Driver (aka SBIOSIO64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9a96a76-d53d-59a3-82bd-8825a5601dbf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820668Z", "creation_date": "2026-03-23T11:45:30.820670Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820675Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5aee1bae73d056960b3a2d2e24ea07c44358dc7bc3f8ac58cc015cccc8f8d89c", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9b0b0cf-05ab-5fa8-b972-c94d650a610b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827786Z", "creation_date": "2026-03-23T11:45:30.827788Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827793Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5747b57c3bcd4ddcc84876b1c298e9ff8b6a91831217a1d0d6a1d73567f5aae1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9b5dadc-7bbe-5443-9efe-3a22f1750015", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479862Z", "creation_date": "2026-03-23T11:45:31.479866Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479893Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fb9c54dea38d847c00d0ec7195b5b8fe0326ae4922c6c84b1e4c29acc7507c16", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9b7be35-5e2a-54e7-b77d-b48ce2fe6831", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464174Z", "creation_date": "2026-03-23T11:45:30.464177Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464186Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "469713c76c7a887826611b8c7180209a8bb6250f91d0f1eb84ac4d450ef15870", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9b83c5e-c477-55e0-ae14-5bef9b69268d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982783Z", "creation_date": "2026-03-23T11:45:29.982785Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982791Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "36875562e747136313ec5db58174e5fab870997a054ca8d3987d181599c7db6a", "comment": "Vulnerable Kernel Driver (aka d3.sys) [https://www.loldrivers.io/drivers/13b2424a-d337-4bc7-ad1d-2049c79906b4/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9bb27e1-f6b7-515d-bce0-e3642e79674b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827515Z", "creation_date": "2026-03-23T11:45:31.827517Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827523Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b87c1cbcddf705ac36318dd8e94167ef075ba3ae916ad616a89a8359e6b37f89", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9c3b56a-956d-56e4-bfaf-83a0ff19bb27", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982904Z", "creation_date": "2026-03-23T11:45:29.982906Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982911Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "48b1344e45e4de4dfb74ef918af5e0e403001c9061018e703261bbd72dc30548", "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9c75ac2-0714-5f2b-bbb2-38c25dc23561", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495886Z", "creation_date": "2026-03-23T11:45:31.495888Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495894Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4f19be2c132005189b4bed20bb2968673555f93f961a1b7ace91bd69aec7ef10", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9ccab93-9c73-5dcf-86e1-f0b9be0555de", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834549Z", "creation_date": "2026-03-23T11:45:30.834552Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834561Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "445c9a8200c34c8ff4d7eba1df57247b32780132c0cb16c9e085f40f4d874c66", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9cdc50b-9d2b-51b1-b1d3-b5fa51176b9e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616150Z", "creation_date": "2026-03-23T11:45:29.616153Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616158Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f2b51fbeead17f5ee34d5b4a3a83c848fb76f8f0e80769212e137a7aa539a3bc", "comment": "Phoenix Tech. vulnerable BIOS update tool (aka PhlashNT.sys and WinFlash64.sys) [https://www.loldrivers.io/drivers/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9ce7030-ea2d-5fb0-829e-cfcbff58dc84", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820547Z", "creation_date": "2026-03-23T11:45:30.820549Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820554Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "74264ce2e0ed67730b0f3c719aee37664d4688f872875322a64022cd68e060bb", "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9d2b6eb-e985-5e0c-9f93-a6a2fbfeb300", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148019Z", "creation_date": "2026-03-23T11:45:31.148021Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148026Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a3fd69a7e84c6c5f84cc8617e868d3719b7f9ade196467b49a5a82e7ea65619a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9d34c34-ef50-5d3c-8811-1a13b9c3ab7a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620260Z", "creation_date": "2026-03-23T11:45:29.620262Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620267Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "61d6e40601fa368800980801a662a5b3b36e3c23296e8ae1c85726a56ef18cc8", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9dac64a-7c54-578b-890e-5af4724dfa5a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977000Z", "creation_date": "2026-03-23T11:45:29.977003Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977008Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "78536b73d77fc07c9ca55766f592852abda179c6deb92c4456cfd89492b594ac", "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9e6f7b7-8fed-591e-b121-daf8595cc5da", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980116Z", "creation_date": "2026-03-23T11:45:29.980117Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980123Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f15962354d37089884abba417f58e9dbd521569b4f69037a24a37cfc2a490672", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9ea0de8-7e38-5486-970c-354ddfb4cc59", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159710Z", "creation_date": "2026-03-23T11:45:31.159712Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159717Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3775d48fe24462bcb6139ce2b4630efb307f18d804e58549cd5fb00ff24a5b6e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9ea16b6-6601-5fe4-b206-4eb0eeda689e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455445Z", "creation_date": "2026-03-23T11:45:30.455448Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455457Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8ecd15521b2c37d2ff02a138700007f2aff28a0accfa6fb3480a4421194ef7d2", "comment": "Vulnerable Kernel Driver (aka mhyprotrpg.sys) [https://www.loldrivers.io/drivers/181b89e5-4bdd-4e95-b1bc-a294a4adfb29/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9eef577-11e4-5cdf-9250-c80361f176ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832960Z", "creation_date": "2026-03-23T11:45:30.832963Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832971Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "36c1d01074ceca73b7cbe87b0731ecd8fdeb1518de610f72a23bd7821124f469", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9f034a4-260d-5387-b2a0-2be9a2ff07fa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485483Z", "creation_date": "2026-03-23T11:45:31.485486Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485496Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fa3e1336fbdb2d5751502185168dd5ebfeedcebd2e9992209962f316116b3c7b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9f0c941-ea47-5800-89b5-68ca5e3e5ed7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833202Z", "creation_date": "2026-03-23T11:45:30.833206Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833215Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f31f2dc87e5d6d75ea026d031bcd93d68dea66b168c1171c67a25c4ef2641c14", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "c9f55acd-2255-589a-a5f2-7d9ff8002fed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493737Z", "creation_date": "2026-03-23T11:45:31.493740Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493748Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d9f9e0d886e5c02e9b803fe730a9c796ce9bda5763d14fe591bae72c284a359d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ca0e062b-1254-54f1-a191-47e4b933af3e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473066Z", "creation_date": "2026-03-23T11:45:30.473070Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473079Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a11cf43794ea5b5122a0851bf7de08e559f6e9219c77f9888ff740055f2c155e", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ca1dcb39-6f83-5e95-9f83-7dceb7840be8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153258Z", "creation_date": "2026-03-23T11:45:31.153261Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153269Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d463ddc2979f150d69f7b0c029e6d2a496da80c31dd187fe17b5a4758422d3eb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ca21f245-0fea-5922-b730-e9a3fe6c35f1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467032Z", "creation_date": "2026-03-23T11:45:30.467035Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467044Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e0fa3fa9488583353b39f12f857911b7115ecd82b70f6fb7be70633d72147649", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ca22d5b7-1a3f-5294-9414-f2c4b1ac3791", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824820Z", "creation_date": "2026-03-23T11:45:30.824823Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824831Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff613c93ca3d3083256122c149f93d280c5a399b95056021d2824fe885abbc2c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ca2846ea-82cb-5900-857b-dfa65eb613be", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621737Z", "creation_date": "2026-03-23T11:45:29.621739Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621745Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c470c9db58840149ce002f3e6003382ecf740884a683bae8f9d10831be218fa2", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ca44402d-5da0-5fd4-b3d1-c8991d23d2e6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472525Z", "creation_date": "2026-03-23T11:45:31.472528Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472537Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a3437986f500aa26ced21951972a96f9140f50d9ddb33e2f7b84f8ac105ca3bc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ca4c451e-ec0a-58b7-8304-d70e67ec5fb4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494302Z", "creation_date": "2026-03-23T11:45:31.494305Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494313Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "81b89074775eed6ce5b826ba2ebbe54ce0bfabb28c46395f5ac6c4dbce802fa3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ca63ff5f-a596-5194-95ed-dcfa9cc8496d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146674Z", "creation_date": "2026-03-23T11:45:32.146676Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146682Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "02576ccba2ff02ec564bef476ac55a92a16222d63c97550fb3d780f5c3de17f5", "comment": "Vulnerable Kernel Driver (aka isodrivep64.sys) [https://www.loldrivers.io/drivers/0144dbef-1da8-406c-8e35-7afee57dc471/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ca68401c-89d2-5dd2-9263-00344fe2c3f7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155084Z", "creation_date": "2026-03-23T11:45:31.155086Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155091Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c0618b18970ec645aa2ac31a8d76a28ca0ca8060bb9880002c58df4963ab857", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ca6d8802-8255-5fbd-8315-adc787e10db8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611132Z", "creation_date": "2026-03-23T11:45:29.611134Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611140Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "90f5962e6b2342eae05dc8f4c34d5291742537248587ccf6ac298691806a4517", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ca8d5d50-acee-52d5-a034-debb9cd72d9f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482856Z", "creation_date": "2026-03-23T11:45:31.482860Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482895Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee538988ff0a01845273de3c6ea3d822154314d017e58c0c93381466461448bb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "caa2f197-be4d-54a6-b465-7cc2dcde4c90", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816449Z", "creation_date": "2026-03-23T11:45:31.816452Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816460Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b690ce513c1f2603e4184d4ea33d54210f6056b0103987ec4d1c57b351e7d7a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "caa9eef9-0b8d-5d6c-aca8-2cf2efac859f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811471Z", "creation_date": "2026-03-23T11:45:31.811473Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811478Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3a52d30f821736d913228ed911b309da51e5445cfc239ea95ab1c5e6ae4dd82b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cab74255-8527-55cc-85c2-73328bd0eb4f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620423Z", "creation_date": "2026-03-23T11:45:29.620425Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620431Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d5586dc1e61796a9ae5e5d1ced397874753056c3df2eb963a8916287e1929a71", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cac26e01-bde2-5065-84b3-bb35025f54ed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459021Z", "creation_date": "2026-03-23T11:45:30.459024Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459033Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18b923b169b2c3c7db5cbfda0db0999f04adb2cf6c917e5b1fb2ff04714ecac1", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cad34b53-da2e-5122-983b-b0367bd4ca01", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977356Z", "creation_date": "2026-03-23T11:45:29.977358Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977364Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "25a344cde4ba47efa3654afb5225f4a8f569f54f6c4448c00eb9fbd644fb96ca", "comment": "Vulnerable Kernel Driver (aka ProtectS.sys) [https://www.loldrivers.io/drivers/99668140-a8f6-48f8-86d1-cf3bf693600c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cad995d3-c4e7-5d93-af71-069fab3efba2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982379Z", "creation_date": "2026-03-23T11:45:29.982381Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982386Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cb5ebba562c33ef2ed93558913792726c8c2e5898531923589122ae31db64ebb", "comment": "Vulnerable Kernel Driver (aka winio64.sys) [https://www.loldrivers.io/drivers/1ff757df-9a40-4f78-a28a-64830440abf7/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cae007a8-87fc-5835-824f-35da2c195565", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808534Z", "creation_date": "2026-03-23T11:45:31.808537Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808546Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "099231d77895db5f1eb1018de0d2abf269353d7bc14e8ea2145c1fa662fee491", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cae93d5f-1ba1-5e1d-bfb3-d935abeb1f49", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499028Z", "creation_date": "2026-03-23T11:45:31.499031Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499039Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "63bb289bed7e5f60bdaf7a065f5e54e1ccec7a6148cd668f97705706bf2e0dea", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "caf15fec-e693-5f15-99cf-57f7813e49e5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147183Z", "creation_date": "2026-03-23T11:45:31.147185Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147191Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "36883ef1e53bb69e576c045971ff329c01e0c636e283c642c5790102e4f58fa0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb014e14-cbdf-5069-b095-29d3d9325c71", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470132Z", "creation_date": "2026-03-23T11:45:30.470135Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470145Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cbc1543100df83a08f3ee9476cde83db616f610917cd4bf5ecaafad46b6f7e23", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb0f47fd-98d5-5e67-8c74-362489d4d335", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150211Z", "creation_date": "2026-03-23T11:45:31.150213Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150220Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d110ef3acecc45b23c4d538a1b0389c7b0ad9deeb584316b55a4621d8168bac", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb0febac-eb1b-5a1c-9020-65353a19b457", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145056Z", "creation_date": "2026-03-23T11:45:32.145059Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145064Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "402318361c6069fc4c8a6f31b6f81921a1116426e9e4504ddb7363f26ff4d9c8", "comment": "Vulnerable Kernel Driver (aka dellinstrumentation.sys) [https://www.loldrivers.io/drivers/86b9c8d6-9c59-4fd4-befd-ab9a36a19e36/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb101e66-8a78-5f12-8e2f-d1b4c854a12c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607222Z", "creation_date": "2026-03-23T11:45:29.607224Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607230Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0ec25c3698a5dbcca4cf6cf7f84b6fc51968d4d150605dd36c86452bda81f3bb", "comment": "Dell vulnerable driver (aka dbutil_2_3.sys) [CVE-2021-21551] [https://github.com/SpikySabra/Kernel-Cactus] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb107958-08be-5be5-a61f-6b3efa89ae6b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473038Z", "creation_date": "2026-03-23T11:45:30.473041Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473050Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ef1abc77f4000e68d5190f9e11025ea3dc1e6132103d4c3678e15a678de09f33", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb171a55-85b7-5638-8c5f-42fdcc982b6d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456451Z", "creation_date": "2026-03-23T11:45:30.456455Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456463Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0209934453e9ce60b1a5e4b85412e6faf29127987505bfb1185fc9296c578b09", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb223633-f3a4-5386-ae2e-00b7c1b74f6d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819956Z", "creation_date": "2026-03-23T11:45:30.819958Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819966Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1848cb34d16559e3c8232c369d89fc12b5720b58300d8c4c21dade6e3ea8d585", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb241825-b066-5264-a029-4a311283b3e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976679Z", "creation_date": "2026-03-23T11:45:29.976681Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976686Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "675329ef7a63a7c58d3daa6cb5c6e299143decec7a149c36a6bfe204bbf0407e", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb28a922-db4f-5b1b-84b2-1738be63df28", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613206Z", "creation_date": "2026-03-23T11:45:29.613208Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613214Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dc8a1cf5402f95d61662531507b12b04e16922eb89108eb751d1c634d475ef67", "comment": "Gigabyte vulnerable driver (aka GVCIDrv64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb28b8b6-3c07-5adb-8278-50b73fb3f61c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141486Z", "creation_date": "2026-03-23T11:45:31.141488Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141494Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1b61f69d9c11487bf5852e63d9980b5577ef44ef180933681d0b0a187bed81ea", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb2b968e-c2da-5fd6-b58f-4c50a844a99f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484720Z", "creation_date": "2026-03-23T11:45:31.484724Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484733Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7cc991132e6a0dfc648a2f4ac73e97af26eec1f90372236df6d539b972e06a2b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb39c2ca-80f5-58c5-9555-b265aa40d27d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835490Z", "creation_date": "2026-03-23T11:45:30.835493Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835502Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "234ed5418a8db6f989add54ef8823eb1b2e8e73b0cff0716d0554fbc4490acbf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb4bb953-609d-5e38-a217-c30c06a53386", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478133Z", "creation_date": "2026-03-23T11:45:30.478136Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478145Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c812acb46a9d4b224cc20c70aeca969b00521123008cff8b1eb0367fdb0fc6b", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb659702-9041-585e-8777-c89347646f73", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622967Z", "creation_date": "2026-03-23T11:45:29.622969Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622974Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b8bf3bd441ebc5814c5d39d053fdcb263e8e58476cbdee4b1226903305f547b6", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb65b31f-dfdb-5b49-bc2b-23a672caa6fa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828029Z", "creation_date": "2026-03-23T11:45:30.828031Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828037Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea9506eab19fbc25589a5e9058bb8be8c934ea88ab9ac62bee82627147e8506b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb716ac5-156b-5b0b-9c6c-8b788c89bdbc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480979Z", "creation_date": "2026-03-23T11:45:31.480983Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480993Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "95e37414577d94a018dd2da7f59a835b0619b4c40068e717cb4ce4bd5137ab0a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb79aa74-d622-5b62-8cff-806de0e17034", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142892Z", "creation_date": "2026-03-23T11:45:31.142894Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142899Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c286d288c474ffb42d80fcc692ff747c51275c34653f5b1c63f1e75de378d8c7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb7a572b-69ff-5d56-8b43-5c27f208735c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144447Z", "creation_date": "2026-03-23T11:45:32.144449Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144455Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "37206b758eac2c7775ef881c1dc9a96129a517069bdf47049afc3b29e328408e", "comment": "Vulnerable Kernel Driver (aka ProcObsrvesx.sys) [https://www.loldrivers.io/drivers/8a1a4a5d-3e41-4539-80cd-0cb751f7fab3/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb8d06a9-8762-5ff2-a81f-94784b930102", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807502Z", "creation_date": "2026-03-23T11:45:31.807504Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807510Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0e42755c0f27c6a89c6f101d28b0b43ca2899d543db85411a38449b96a9d49e5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb944f3b-9895-5756-8ca4-93da3c9ef924", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455275Z", "creation_date": "2026-03-23T11:45:30.455279Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455287Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0391107305d76eb9ddf1a5b3b3c50da361e8ab35b573dbd19bf9383436b9303e", "comment": "Vulnerable Kernel Driver (aka netfilterdrv.sys) [https://www.loldrivers.io/drivers/f1dcb0e4-aa53-4e62-ab09-fb7b4a356916/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb95ca08-7baf-5987-b7a3-b895aea9dfb6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611619Z", "creation_date": "2026-03-23T11:45:29.611621Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611629Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "62daa7ab93684d935cdada8af43cba552d7692cb992411d27ba1ee50a9fb1883", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cb9c32ac-6f4b-5989-92f0-7e050265dc8e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827367Z", "creation_date": "2026-03-23T11:45:31.827369Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827374Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8427775632e60b14264ada48a86c7f59fde2f4e5cbc46cf4768c87cf7ad5a84b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cba77143-c52c-5e2d-aaca-109fa5f1ce47", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154431Z", "creation_date": "2026-03-23T11:45:31.154433Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154438Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c36037dedb296b6746f6ac6eea9b1a6eaa46eba4c49da895bcac79c39269a584", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cbaaa024-cffd-52cf-ad0b-c8116f0f0195", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491902Z", "creation_date": "2026-03-23T11:45:31.491904Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491910Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ecceaf72e18dba67f0537b50ff56b9dd2643616a27a22b8be498d2cd7de9a2c0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cbba6613-b8c4-59cb-91e1-6894293cbbcc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471912Z", "creation_date": "2026-03-23T11:45:30.471915Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471925Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "65e3548bc09dffd550e79501e3fe0fee268f895908e2bba1aa5620eb9bdac52d", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cbc35264-0230-534d-a3ea-7b5aa9697ae7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154935Z", "creation_date": "2026-03-23T11:45:31.154938Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154943Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b16be2f9bfc6ba39d29e5aa1f82e035f303d8e246f5f06a2be12435eea5336e7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cbd1f43e-f659-5525-85e0-11b851834a3b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143448Z", "creation_date": "2026-03-23T11:45:32.143450Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143456Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "06967882fae2160cec07ea7b31685deefc61e1e6153ed8e87ee8a1f7086afc5b", "comment": "Vulnerable Kernel Driver (aka GPU-Z.sys) [https://www.loldrivers.io/drivers/0d6f1b0f-b94d-4254-b3bb-49de61246260/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cbd58266-f777-5dee-8499-06aea4427b09", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476616Z", "creation_date": "2026-03-23T11:45:30.476619Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476629Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6d4cb02a826973521678309a0076b2fd50894c09dda87ca86089e815f4bc9bce", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cbdbe2c5-110c-59a6-94aa-9d8b0b5b51a4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160605Z", "creation_date": "2026-03-23T11:45:31.160607Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160613Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7f6c9e43cb8e6af24315f57b638253c1d7f33793fdd879e6fb37a0e16b5a124b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cbec168d-3db5-55df-aca8-f58e7124e4a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822800Z", "creation_date": "2026-03-23T11:45:30.822802Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822807Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e1a34446a3d8b2875a505b109a1c78177f9fa887472699ec9db5147b1074e42f", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cbfd3ad2-30a8-5d43-8a3a-58dd34ad2527", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143278Z", "creation_date": "2026-03-23T11:45:32.143280Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143286Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6f2cf1c9502c5c5054edb556827ba30ffc2e6689faf807db404672781b032eaf", "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cc0fb1a5-ab03-5a9e-9b99-23b4157bdc31", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144239Z", "creation_date": "2026-03-23T11:45:32.144242Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144247Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ce106afd6a9996ac0150709a30d61ece7d7bfe1f27492c00f4fabab9ec40575d", "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cc211c39-1c18-50b4-8fc4-19ab2100642c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460766Z", "creation_date": "2026-03-23T11:45:30.460769Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460778Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "63af3fdb1e85949c8adccb43f09ca4556ae258b363a99ae599e1e834d34c8670", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cc26991c-7a8d-5f32-8da1-2ac9bdaee044", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461412Z", "creation_date": "2026-03-23T11:45:30.461416Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461425Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c09dfc18959fe51d3e5ca1500a94ab74faf0eb72040930e89cdbac653df9e816", "comment": "Vulnerable Kernel Driver (aka sfdrvx64.sys) [https://www.loldrivers.io/drivers/5a03dc5a-115d-4d6f-b5b5-685f4c014a69/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cc2ae10a-2b78-532c-b490-541ba4da7ce1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816730Z", "creation_date": "2026-03-23T11:45:30.816732Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816737Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c8a34012c22a650972b9ecad988d346c8670bcd51ea2dd3ab7fe4562e117f1b9", "comment": "Vulnerable Kernel Driver (aka tdeio64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cc2d271c-83f8-5eb7-bd88-00f6fc15ceae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159925Z", "creation_date": "2026-03-23T11:45:31.159927Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159933Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd0a5c191a978babdeb51d51a04febf704eba136340779428d81ebc943ea414c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cc532f37-a6b6-55c9-ba2d-913f68dd3b66", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828512Z", "creation_date": "2026-03-23T11:45:31.828514Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828520Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6181015e118e8608d4566b40ba17989687fa2ea747c5f8f1905b5a234cfeebeb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cc54e382-f4eb-5e6d-bde3-a6f577ae4666", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819154Z", "creation_date": "2026-03-23T11:45:31.819156Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819161Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "696cef6890b99a72a0f92b6bd3d9e5ad490f29974c559fda2242f85534585700", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cc5973e9-d3f5-5a2a-a478-1ed80d58e913", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830295Z", "creation_date": "2026-03-23T11:45:30.830297Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830303Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bd6451ffd62f127371b838d4ab8e353df383b38b548f0cce33fa70cdad4ee13b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cc5e17e2-978f-5162-9e1c-dc42fca4d15f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829959Z", "creation_date": "2026-03-23T11:45:30.829962Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829967Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "35ae4385e59c4ad684d6344ceb4c1fed53589fb56afb4b0c639bacd11356664c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cc5f6ed9-5fa8-5235-8991-3dd4a51267dc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811327Z", "creation_date": "2026-03-23T11:45:31.811329Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811335Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c428d3faddd8e0f6678ced8e923eed078877e5ee6cf7b2c20b29315f84b5a8b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cc5fa0d0-0654-55cd-ab17-687ba6bad1f4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456306Z", "creation_date": "2026-03-23T11:45:30.456309Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456318Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "11bc55c0771d692279298211c1d434c04168e7c7f7c4328bfd600215b88c819b", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cc7033d3-76d0-5f11-8d6b-a5128db279d7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145018Z", "creation_date": "2026-03-23T11:45:31.145020Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145025Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a03d159cd02bf1f8cda64a0843dd4ee7379dde9030985ede6c8a16e3b854c112", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cc719060-d526-59b9-a627-8860bbe62c15", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473514Z", "creation_date": "2026-03-23T11:45:30.473517Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473526Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c84b0dbc0024c88c61a06d0aa7663a17a15e7c062f185811c5d85e1155e25aeb", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cc8750b8-4d37-5a54-8aec-dee239575a58", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606309Z", "creation_date": "2026-03-23T11:45:29.606312Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606319Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee24071d9a0ef38dc98929cfb4d316f9fb010de107c110fad2403022cf1eebfc", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cc890b60-3935-5bd3-a1f1-a8dd4f623dd9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823845Z", "creation_date": "2026-03-23T11:45:30.823848Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823853Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "60744995c1eb14063a6f33e17c77f081c05a4e7bc4d4154e291a70d74d44efce", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cca11486-603e-578d-ba67-e7a279a86c8c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816748Z", "creation_date": "2026-03-23T11:45:30.816750Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816756Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d8fc8e3a1348393c5d7c3a84bcbae383d85a4721a751ad7afac5428e5e579b4e", "comment": "Vulnerable Kernel Driver (aka WiRwaDrv.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ccb4faf1-d1de-5882-8ccf-161101d53056", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812028Z", "creation_date": "2026-03-23T11:45:31.812030Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812035Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c891c2b8dc44d5b8c3156011f3daed4c15f88987ac712f5500e2b1f5248320e0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ccb50528-c00c-538c-8329-5946a44a33ed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607276Z", "creation_date": "2026-03-23T11:45:29.607278Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607283Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "40061b30b1243be76d5283cbc8abfe007e148097d4de7337670ff1536c4c7ba1", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ccb56504-0f4b-5314-8590-1fe56ae9466f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608968Z", "creation_date": "2026-03-23T11:45:29.608970Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608975Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "133e542842656197c5d22429bd56d57aa33c9522897fdf29853a6d321033c743", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ccc1ba0b-b9a5-52dc-ad3c-5e5c5f484ad8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468433Z", "creation_date": "2026-03-23T11:45:30.468437Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468445Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ba467c6edee7266721c220fbc84cb80c995d429052846865d869609602d6e48c", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cccd6743-9e7d-5fcb-9711-b5aa0d58db4e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814414Z", "creation_date": "2026-03-23T11:45:31.814417Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814425Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "386b6aef03c78da2152aa5a111334233a101e5f2b64da7ac1acd48df07cad8fd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cce8da9f-c3bc-54d2-a25d-346d2c879ae5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825707Z", "creation_date": "2026-03-23T11:45:30.825709Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825715Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7a6191d9bf3893260b98fdbb7fe591995ef808d0dfb9fdf0f8adc4c8e3807e39", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cce93915-2169-5854-87c8-535c4d845953", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140436Z", "creation_date": "2026-03-23T11:45:31.140439Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140445Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ffbf8df7ebe5e9e986234df80d2dfe4a1c9e0c80c754ab083dca23adc479338c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cce96201-b970-5d98-a01f-b914aa626df2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485193Z", "creation_date": "2026-03-23T11:45:31.485197Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485207Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f666e4c15474b933cef24d8fbec5d0548b4d8e29c8234a294f6b8d34b5a69ba0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ccebfc93-742d-552d-8679-b9f557c1a0f1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157275Z", "creation_date": "2026-03-23T11:45:31.157278Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157292Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "11a31fe46d741ac5b1c369ba7befee1c1662c9e1ba742b59fd06fe7dc622ad3b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ccec40e6-65cb-5df2-9568-694de4162a84", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153823Z", "creation_date": "2026-03-23T11:45:31.153825Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153830Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "529772e2f822515b4beb7c757ba6b24f92425da9d9001e3acdeeb66acbdcb89c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ccfd2488-c74b-5836-9e9b-c56525f8b71b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143187Z", "creation_date": "2026-03-23T11:45:32.143189Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143195Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "37c637a74bf20d7630281581a8fae124200920df11ad7cd68c14c26cc12c5ec9", "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cd070543-98d2-50b8-941a-6aef5cf04953", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824216Z", "creation_date": "2026-03-23T11:45:31.824219Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824227Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7fe9d82bbc96b5f06ba26cda470e65a2635a4278a756a83bc3f194f82ca876c6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cd0795cf-0012-5929-818e-bfa2e5b125e5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825762Z", "creation_date": "2026-03-23T11:45:30.825764Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825770Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cc9c84e903cf4f38679ced83da831a3e0b1f52a67af63584dcd460ef37b2979f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cd085da7-3b1d-51fc-ad80-6fad58dc7426", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823808Z", "creation_date": "2026-03-23T11:45:30.823810Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823816Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c50fd5f40905bc6a5e3dd556c2ac9076c45bf474b731cf6464e0524b7a628e1b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cd0cd0ee-da64-513b-8b06-892c11af7f8b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495743Z", "creation_date": "2026-03-23T11:45:31.495745Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495750Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1018ec7f5dd9a040766bcd50ea37af78eeb4e272fb62938c81570cc8bf579f78", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cd0d686d-4b39-5c8f-bfed-f31890b68fa6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817321Z", "creation_date": "2026-03-23T11:45:31.817323Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817329Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "26fa810f6be2ac7eaf8abe164b866ced47bbaa09f75605482778724e1a99f0e6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cd238424-daa8-5ac1-a82b-630aa6f955ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825458Z", "creation_date": "2026-03-23T11:45:31.825460Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825466Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8dd2a8f5333e47806e0a43c260a43558fcfe636e2da3ace624265425bf9dad3a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cd3de490-0e58-5300-b257-e8fd7fbd2e72", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605413Z", "creation_date": "2026-03-23T11:45:29.605415Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605420Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "74716032cc2f63c67b9df0882c6794b4bf66147d943329db5f233a04c2fd9b12", "comment": "Backstab Process Explorer driver (aka PROCEXP.SYS) [https://github.com/Yaxser/Backstab/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cd47f623-4458-5be1-9742-d54426297046", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487180Z", "creation_date": "2026-03-23T11:45:31.487182Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487188Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f158b1653c6a42e9399b20704b5bd0e874bfff1accc74162e4b29a9eb6955218", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cd497a80-a8f7-508a-a1ae-61d5c29d6d3a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814210Z", "creation_date": "2026-03-23T11:45:31.814213Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814221Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "35c4e2e810cd6526a6078d9e7fb5e084b7223da6d605830c9d11f5997791fe47", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cd5f956f-4af1-5d0c-947a-c90e546aa174", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615677Z", "creation_date": "2026-03-23T11:45:29.615679Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615684Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9c513f4d4c38a10af9f4a967bb6c7901275adf0df8046fc7e1b7e4c3e3c7c3cf", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cd72cf32-8a68-540b-bd38-31618cad8fbd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818820Z", "creation_date": "2026-03-23T11:45:31.818823Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818831Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e259d26fedebd3a133c4455da83818ff37ec04fcaf79c1382763f5a5e0d49afc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cd86920f-ca70-5587-8d37-127347bd5abc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977550Z", "creation_date": "2026-03-23T11:45:29.977552Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977558Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f15ae970e222ce06dbf3752b223270d0e726fb78ebec3598b4f8225b5a0880b1", "comment": "Vulnerable Kernel Driver (aka CorsairLLAccess64.sys) [https://www.loldrivers.io/drivers/a9d9cbb7-b5f6-4e74-97a5-29993263280e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cd956d48-a814-57ad-b158-a0e702310218", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482153Z", "creation_date": "2026-03-23T11:45:31.482157Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482167Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8cb0167095ae5e3c3614b8f292e1f492a50d9ee54123bc37935ad282e5aa0bab", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cd95ff3c-9515-5548-b244-77db4a972e00", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613277Z", "creation_date": "2026-03-23T11:45:29.613279Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613285Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a7c2e7910942dd5e43e2f4eb159bcd2b4e71366e34a68109548b9fb12ac0f7cc", "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cd97ec33-e529-5337-99b8-5e0a15c441a5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836310Z", "creation_date": "2026-03-23T11:45:30.836313Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836322Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5ae14f1a2c380990785857b2e0581fd07208d26515a25463f39743018b756091", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cd9a55b4-88d6-57ac-917b-27c91c643d80", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985321Z", "creation_date": "2026-03-23T11:45:29.985323Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985329Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7cfa5e10dff8a99a5d544b011f676bc383991274c693e21e3af40cf6982adb8c", "comment": "Dangerous Physmem Kernel Driver (aka Se64a.Sys) [https://www.loldrivers.io/drivers/d819bee2-3bff-481f-a301-acc3d1f5fe58/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cd9bcdd8-d46b-55e7-93fe-4d7892a392f5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455846Z", "creation_date": "2026-03-23T11:45:30.455849Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455858Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "02f63773cdd991c891e10044633630154ae6fa63dbfe9b35082e48d4924f2dde", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cda14e89-71d0-5b27-8c5d-bb97ec72303a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480526Z", "creation_date": "2026-03-23T11:45:30.480528Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480533Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1eff553cab0e6db50aa18e1ea10fbc9349b7529c938df4bed580f037cddd1309", "comment": "Vulnerable Kernel Driver (aka GtcKmdfBs.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cdab48d2-3808-58d5-b903-80adca284bde", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471684Z", "creation_date": "2026-03-23T11:45:30.471687Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471696Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c1b41d6b91448e2409bb2f4fbf4aeb952adf373d0decc9d052277b89ba401407", "comment": "Vulnerable Kernel Driver (aka AsIO.sys) [https://www.loldrivers.io/drivers/bd7e78db-6fd0-4694-ac38-dbf5480b60b9/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cdad37a0-259d-5608-9317-2ed27294edee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816264Z", "creation_date": "2026-03-23T11:45:30.816266Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816271Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e8eb1c821dbf56bde05c0c49f6d560021628df89c29192058ce68907e7048994", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cdafbd2d-0afe-5cd6-85cc-0265ef6ca90e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156774Z", "creation_date": "2026-03-23T11:45:31.156776Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156782Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b14e251fb2483ca4c555b4ec3ea204a04cfe2f08bdc54f27d8a0613df6a6e002", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cdb1059b-1361-5cbd-9336-640d795cb6f9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472463Z", "creation_date": "2026-03-23T11:45:30.472466Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472475Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "019c2955e380dd5867c4b82361a8d8de62346ef91140c95cb311b84448c0fa4f", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cdb4fece-37fe-5512-a8c7-957e4b6b653c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608688Z", "creation_date": "2026-03-23T11:45:29.608690Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608695Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "df0536cdaac3ccc891ae2c41d176927ddee16b0ecdc3701e3eb96b0132917003", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cdc4fb41-dc45-5953-8f3e-c3d10ed5611d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968792Z", "creation_date": "2026-03-23T11:45:29.968794Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968800Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0b2ad05939b0aabbdc011082fad7960baa0c459ec16a2b29f37c1fa31795a46d", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cdc5ea31-cfb1-5f2f-9220-2c5adf36d768", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457507Z", "creation_date": "2026-03-23T11:45:30.457510Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457519Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "db711ec3f4c96b60e4ed674d60c20ff7212d80e34b7aa171ad626eaa8399e8c7", "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cdcd8efe-f5df-5969-9372-256190f5479d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829929Z", "creation_date": "2026-03-23T11:45:31.829931Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829937Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4efdce2a99b86911359011fa82c9752cfe37a69d078ed6077106cc8634ea786c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cdceea7a-3c06-5b2b-b8ee-3449e6d36deb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605539Z", "creation_date": "2026-03-23T11:45:29.605541Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605549Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff9b3fc49bb3cd9a2ffea2dd8075a34908346fb8393aa2bf13aa15ac72583928", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cde47c20-b24e-5659-9c6d-e01f6eb44a47", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146044Z", "creation_date": "2026-03-23T11:45:32.146046Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146052Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d590ee21ef889c847c8c80efe07f91cae4390d5663e6dc7a81077efce3737249", "comment": "Malicious Kernel Driver (aka kavservice.bin) [https://www.loldrivers.io/drivers/77157886-00f9-4f6e-b217-d896813b630f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cdeb9640-2df0-5908-80d3-7eeb3e36f452", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604301Z", "creation_date": "2026-03-23T11:45:29.604303Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604308Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "df101558cf68e3f50fb468248699e6f3938be7a893680bd4803fc2afe20bfd78", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cdebcc04-f00e-5f6f-b555-f9852bc14ad4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818381Z", "creation_date": "2026-03-23T11:45:30.818383Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818388Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f13f6a4bf7711216c9e911f18dfa2735222551fb1f8c1a645a8674c1983ccea6", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cdf5ec76-327d-51e9-9d74-dc6e47b0369d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816767Z", "creation_date": "2026-03-23T11:45:30.816769Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816775Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c7e5bd0090962b4f31e17ab3d1f97bd9870d23238b591a70e27a0c91db138f95", "comment": "Vulnerable Kernel Driver (aka WiRwaDrv.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cdf8f987-617c-5fd1-b67c-25252b9e76ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970990Z", "creation_date": "2026-03-23T11:45:29.970993Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971001Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f902d78dada1658d688b1a8aac6ef48bdf968c859149f60f6c26e5b8af4656da", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cdfa3b3a-c6c9-58cd-8450-36efac53b6e5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970864Z", "creation_date": "2026-03-23T11:45:29.970867Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970891Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5a9915ea7863a0d26c69402287a1afc8af360a5318b970d9b36f8820e5c9e568", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce0328e7-c8a3-5c55-9ef4-5dbb70a9e23f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460637Z", "creation_date": "2026-03-23T11:45:30.460640Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460648Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "08828990218ebb4415c1bb33fa2b0a009efd0784b18b3f7ecd3bc078343f7208", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce03db4f-19d3-548d-bf13-a59b2ebf70b6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473862Z", "creation_date": "2026-03-23T11:45:31.473866Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473894Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4aea15c43e587f43baa437ef48bd9c70f692a35ba9510537122fa60ae6439a78", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce0489ef-6d69-5586-9fef-01796631666d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836359Z", "creation_date": "2026-03-23T11:45:30.836361Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836367Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "25ed1a52146816e02d41cf3938de7174806f58aad8f1e8c0ddc3801d20e60819", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce08f2c3-e400-57c2-8498-b7ed1db2dcab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620048Z", "creation_date": "2026-03-23T11:45:29.620053Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620060Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "976c015b28197ccd15f807b776f705bdf612fc622fb0a4b9901b90f180bf2f8a", "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce0a8a7a-2005-50b8-a2c5-aa16afd9d128", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817123Z", "creation_date": "2026-03-23T11:45:30.817125Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817130Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f4dc11b7922bf2674ca9673638e7fe4e26aceb0ebdc528e6d10c8676e555d7b2", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce198238-36b3-5b91-9ad2-33c4776d41f8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817250Z", "creation_date": "2026-03-23T11:45:30.817252Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817258Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5daa8fa3b5db2e6225a2effea41af95fe7ffc579550c4081c8028ed33bc023b8", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce1ae374-d2de-5dae-ab6d-d76f9028c869", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816118Z", "creation_date": "2026-03-23T11:45:30.816120Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816125Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9303894ee50d95911ccd4583b2aa5484db63de0d8f799b14854577e15914df2d", "comment": "Vulnerable Kernel Driver (aka sysconp.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce1b53b4-f08c-5b62-948b-a45db7a77877", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494815Z", "creation_date": "2026-03-23T11:45:31.494822Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494833Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e0a01628d39cd0fd2542aceb122c84ff022417860480ca348ade49ca0ae6f5c4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce1e1fe9-f5e5-5d7c-8bc5-09fa9a03ea16", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617850Z", "creation_date": "2026-03-23T11:45:29.617852Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617857Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0a89a6ab2fca486480b6e3dacf392d6ce0c59a5bdb4bcd18d672feb4ebb0543c", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce329b47-47aa-59a9-b141-a197b231c51c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492610Z", "creation_date": "2026-03-23T11:45:31.492612Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492618Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18b794710453ffbf8ea6812b3c67f0834c5262547097e7509bc3d8e13aaa3500", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce3e4491-5fad-5e16-840e-acc9b5f7e447", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828737Z", "creation_date": "2026-03-23T11:45:30.828739Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828745Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "58a4e00d40077cb1532967dc9a66d485a9e580a4f9d4ab4052f645bc76028c43", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce459142-5004-5235-8dc4-2f2f7152d10d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817515Z", "creation_date": "2026-03-23T11:45:31.817517Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817523Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a4bec310f9a33386df4085f4d4df5880572f2ba44ae258d466e2b0551ea5df9d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce48afdc-2747-5090-8157-f2dafcf192b6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499349Z", "creation_date": "2026-03-23T11:45:31.499352Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499360Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cdb7d0ecd7c09135ffea8f715e1b52c9e193d87ee46f460d826c50b4578d1a9e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce49b158-22b6-537f-a1a9-ce79dc4aeb14", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455164Z", "creation_date": "2026-03-23T11:45:30.455167Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455176Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "16b6be03495a4f4cf394194566bb02061fba2256cc04dcbde5aa6a17e41b7650", "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce4eeabf-d1ad-51db-a76f-5876c15c7e49", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475923Z", "creation_date": "2026-03-23T11:45:30.475927Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475935Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e89cb7217ec1568b43ad9ca35bf059b17c3e26f093e373ab6ebdeee24272db21", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce4fc928-5627-54e4-88c3-facc56c5e687", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157205Z", "creation_date": "2026-03-23T11:45:31.157207Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157212Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "96d381aa428e3d885b399285e19a8b6aeafc94d736d3575cd5af8f8f58c0d979", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce58d9f1-605e-5a80-a21c-84eb03f355f6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483920Z", "creation_date": "2026-03-23T11:45:31.483924Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483935Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b5f6dc31336aaaa2fda0af4c38855cb33bdabc66faca07304bc163c490619500", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce63c5a3-c672-57ed-8455-28fccbd5b21b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490829Z", "creation_date": "2026-03-23T11:45:31.490850Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490858Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fe9520ae42fc9ea258ca7fd2054b4e05acc1aa45089a703fd486753eba57ab11", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce68c78e-37d5-56b9-89c8-5d3b922a1db5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153736Z", "creation_date": "2026-03-23T11:45:31.153738Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153743Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "201c02478e89e011a9a5c8f9d496ea8f10684c761ddeeaf14342cfb30c0003ca", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce69fa95-d4b1-5062-b53b-e77be033e897", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824488Z", "creation_date": "2026-03-23T11:45:31.824491Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824499Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4a9b1b00235f0814ccef667762cdecaae9c195e9165355f73125b4bb386d7b3c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce6a0e81-1215-5d2f-a38b-7bb41d9454ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970906Z", "creation_date": "2026-03-23T11:45:29.970909Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970917Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "463829eecbdd9c72faa3a3cab55cb52c95e93c3b79bafe855e199354432e7f76", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce6f93fb-15eb-541a-895b-eed8f215b7ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479314Z", "creation_date": "2026-03-23T11:45:30.479316Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479322Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "16c63f5ebd96caecae3581a91b949ccc803cf7c18482448d19f9433d6d40ebee", "comment": "Vulnerable Kernel Driver (aka VBoxTAP.sys) [https://www.loldrivers.io/drivers/f22e7230-5f32-4c4e-bc9d-9076ebf10baa/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce6fb95e-0f44-533a-a10f-3fc969feb434", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605522Z", "creation_date": "2026-03-23T11:45:29.605524Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605529Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "32726f7b4f4c51dfe0c0de47408c6d88e8b1664ab10529f2f994bd0e1b5814e5", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce7924c3-5a86-573f-9dc1-55615a2df8af", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155967Z", "creation_date": "2026-03-23T11:45:31.155969Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155974Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "925c0c27fdfbc02f3300954d6628a35479599ec1b28c6b899bf5ca12c4816097", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce79a240-6286-5ca6-9456-6637c047880c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984582Z", "creation_date": "2026-03-23T11:45:29.984584Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984590Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e704bcd0526a76661be083041793be319773d2fed132e45435d800d6918532d", "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce7bdd17-5738-5487-8217-7ea7e0015039", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461097Z", "creation_date": "2026-03-23T11:45:30.461101Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461110Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3ac8e54be2804f5fa60d0d23a11ba323fba078a942c96279425aabad935b8236", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce7fd246-ecd2-5a57-997b-9d2d32ea9a56", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610423Z", "creation_date": "2026-03-23T11:45:29.610425Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610431Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5177a3b7393fb5855b2ec0a45d4c91660b958ee077e76e5a7d0669f2e04bcf02", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce84469e-175d-51e1-9e0d-483856c4895b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816190Z", "creation_date": "2026-03-23T11:45:31.816193Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816201Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9c4433e84f9db7a62daa9a681ae728530602a1b1e119a5a9d13ae4366df45c71", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce856d80-4bd4-5bb1-b872-cc35a9ca1916", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475590Z", "creation_date": "2026-03-23T11:45:30.475593Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475602Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c3fa8f5c8094a6c6936faff1d1faa02fd489482f21c288e6c700446ade5c20be", "comment": "Vulnerable Kernel Driver (aka vboxguest.sys) [https://www.loldrivers.io/drivers/0baa833c-e4e1-449e-86ee-cafeb11f5fd5/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce879408-ac73-514b-8ec4-8f443abf91d9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486294Z", "creation_date": "2026-03-23T11:45:31.486297Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486307Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e2985dd57d6797f48b4358ffbc5e9f9e01fa27ba9e2d609f99029b30b80e5b8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce9083f8-3e43-5a4a-b2f2-80bcc2a6c595", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817087Z", "creation_date": "2026-03-23T11:45:30.817090Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817095Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ef438a754fd940d145cc5d658ddac666a06871d71652b258946c21efe4b7e517", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ce9ff95b-84a7-57a6-ad14-5e8f1c3e60e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480590Z", "creation_date": "2026-03-23T11:45:31.480594Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480604Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e25f7e8d25659647fea1d520c454f16f7aa113f0e556934e8b573c3c440ce717", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ceb3f76f-8919-5e6a-bedf-4d16a0703bcd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452157Z", "creation_date": "2026-03-23T11:45:30.452160Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452169Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c3d479d7efd0f6b502d6829b893711bdd51aac07d66326b41ef5451bafdfcb29", "comment": "Vulnerable Kernel Driver (aka mhyprot3.sys) [https://www.loldrivers.io/drivers/2aa003cd-5f36-46a6-ae3d-f5afc2c8baa3/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ceb86114-188f-5df1-b666-700dea293eb1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969576Z", "creation_date": "2026-03-23T11:45:29.969578Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969583Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0cb639c7b27fec183ac475c91a66d91f24b500a5fa5dcabdd6920931626dfd93", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cebf7df6-3c8c-5f01-a07f-61e6154863b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140926Z", "creation_date": "2026-03-23T11:45:31.140928Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140934Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1dfbf17efbf37083968567ee13ff832e0e23a27eb9244d5416e52bdae53d53a9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cec890c3-fb42-5da0-99ad-bd770dcb7e44", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148537Z", "creation_date": "2026-03-23T11:45:31.148539Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148545Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e849ec0c64d3d01309acf125f76c8f526aa9e5eb34cfeb85967a3a04be77ba80", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cec8ef06-547d-57fb-9ec0-b71509ed5266", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499775Z", "creation_date": "2026-03-23T11:45:31.499779Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499787Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d099b7787a3cd78eb5ef0bcff982a8e6964cd792f96069110ef7d1101603230f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ced0ebd2-148a-586f-b79e-54d26d63b8d4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495076Z", "creation_date": "2026-03-23T11:45:31.495078Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495086Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ccd62ae166e2ca48bdadc835e56fadc1aa3d239b408f998d60c5e19d7febe0a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ced80048-a28f-528d-9c0c-ebd741b90cf9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822899Z", "creation_date": "2026-03-23T11:45:30.822901Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822907Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "442d506c1ac1f48f6224f0cdd64590779aee9c88bdda2f2cc3169b862cba1243", "comment": "Vulnerable Kernel Driver (aka SBIOSIO64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ced9de67-316d-5471-a0b9-ab12b4e36070", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810344Z", "creation_date": "2026-03-23T11:45:31.810346Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810352Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c2577d760341250044463abbf12c9bfce8556135127851a14fbe95cd404ad3a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cedd73e0-328a-52b0-8196-a9ce43909c38", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146095Z", "creation_date": "2026-03-23T11:45:31.146097Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146103Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "37a729ead982b58a07840bf0e2cc8fcbfb2c1b446b0cd7bd1b1dd2b1ce18eda4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cede6bfa-d3fc-5a2c-a59d-5281bfb3b7d5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826595Z", "creation_date": "2026-03-23T11:45:31.826597Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826603Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "161b2e84ee61f38f197d03d5c66bebb13d5722d4bd3e326e52ce40181b347cff", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cef6c5e5-e553-5963-bcb1-7b4b49ab61c6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816454Z", "creation_date": "2026-03-23T11:45:30.816457Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816462Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ec81b458b41c9732341ec8cde57b9b7c7bb776b3bc08f45f2c815c3692072d04", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cf026a4d-e788-5d2a-a157-7354c9e53923", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144038Z", "creation_date": "2026-03-23T11:45:31.144040Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144045Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c1f0efdda4b3e0a25457fc1a9237178ba2d0694995bad02037a66817dba0cd39", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cf1e4dbc-121f-5771-9935-0a2131b1108a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608457Z", "creation_date": "2026-03-23T11:45:29.608459Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608464Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "26f41e4268be59f5de07552b51fa52d18d88be94f8895eb4a16de0f3940cf712", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cf215a79-7265-5fbc-9ca3-891dc9afe758", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833012Z", "creation_date": "2026-03-23T11:45:30.833015Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833023Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "403e06568d2765f574287db1ce1e706ee56234df7da5d57d963cdd2e8c50d72d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cf29956d-0174-507e-8cc3-68436f27a990", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457776Z", "creation_date": "2026-03-23T11:45:30.457779Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457787Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c6feb3f4932387df7598e29d4f5bdacec0b9ce98db3f51d96fc4ffdcc6eb10e1", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cf413540-5fe9-517a-8470-0f3946ba545e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618168Z", "creation_date": "2026-03-23T11:45:29.618170Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618175Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7ef8949637cb947f1a4e1d4e68d31d1385a600d1b1054b53e7417767461fafa7", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cf42b340-1c68-5cef-ae74-158eade282dc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474712Z", "creation_date": "2026-03-23T11:45:30.474715Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474725Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7699613119b25fc5886305e43ff556f8d53560cfa7707ab456f3165ba4ea374b", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cf4551db-2202-5282-906c-a1dcd7b13132", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141328Z", "creation_date": "2026-03-23T11:45:31.141330Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141335Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff9ad483752fcd68f51fa798194a3b6df55fb4332ca10cb24bb7e98b168396b4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cf519a83-54d3-501f-aca9-a94796c94a66", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968476Z", "creation_date": "2026-03-23T11:45:29.968478Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968483Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "06aabaeb78213f66d119a699db7602d841ae7f6b9ec9100b1a534abe5709e516", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cf5544fd-e310-5d14-b670-5d450cc451cb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498036Z", "creation_date": "2026-03-23T11:45:31.498039Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498047Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "94131b5c56a10bc562b15eb3966c4481b165737118a6e1102e67ff291308cf38", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cf633852-1fbf-5ed3-9844-6e462ea345eb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452542Z", "creation_date": "2026-03-23T11:45:30.452545Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452553Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0c1b21978c6aef881f056f7b9c909b56488019459ed256511d78a4588d1aa7a4", "comment": "Vulnerable Kernel Driver (aka skill.sys) [https://www.loldrivers.io/drivers/724d7989-dfce-4bb2-9beb-dee15df5b790/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cf653a27-05dc-58e7-859a-7fa059ada47f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145342Z", "creation_date": "2026-03-23T11:45:31.145344Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145350Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "15f91017e60f244aff3a7449dcb0e1480bc14e91e1a4f118a98e6610c2c962e7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cf6561a1-5268-5c4b-a666-952c1b028212", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468799Z", "creation_date": "2026-03-23T11:45:30.468802Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468810Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "612aa28d12aefd2af8565d4df6df9caa61b5fe8370fffb08933c03d558789e37", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cf66bd11-8baa-5d17-a944-8792c1addf22", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979829Z", "creation_date": "2026-03-23T11:45:29.979831Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979836Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d7bc7306cb489fe4c285bbeddc6d1a09e814ef55cf30bd5b8daf87a52396f102", "comment": "Vulnerable Kernel Driver (aka nt4.sys) [https://www.loldrivers.io/drivers/1d4f7a3a-786b-4a74-b34f-14d44343de9e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cf6a53c0-d91c-57dc-9dfa-3ced6a9757ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497578Z", "creation_date": "2026-03-23T11:45:31.497580Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497586Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "62593294a57baf97ad7d8982aa250db537da892593d773515722e70e6784947b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cf6fe948-eec2-5996-939a-58b94289fa11", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457158Z", "creation_date": "2026-03-23T11:45:30.457161Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457170Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "14e6f0d5f93dc52471af549de1c91c1fc1d9dbd175d5932c17e58e6b186694c9", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cf72ddce-1688-58ed-9801-84eaa892dd87", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818789Z", "creation_date": "2026-03-23T11:45:30.818792Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818797Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "56135fb8d5d3ed93b38679cb0dea9cc16ed7fdb0db9659e40a5c2d82655ada67", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cf8df38b-9ccd-5795-ab73-4daaa8189c56", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972755Z", "creation_date": "2026-03-23T11:45:29.972757Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972762Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ac42c7b1d9feccd48c305698942186d580b7bfd047bb73dbf028f3fed7aa24ad", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cf8f8d4a-c6d9-57a3-8e85-99113b42dc1a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984441Z", "creation_date": "2026-03-23T11:45:29.984443Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984448Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e2c531a771b0df1585518a22427798e86611e6be3d357024797871a1b3876e9c", "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cf99055d-19ab-5f41-a9b6-92daaba1144d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482590Z", "creation_date": "2026-03-23T11:45:31.482594Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482603Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0d8627fccac3c1c6ad9926a28fdafd207bfd5022e8e927a7004928fb06b34b2c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cf9db006-a4e9-56e5-bf08-ab11b6c06eb9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452050Z", "creation_date": "2026-03-23T11:45:30.452069Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452090Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "235ab6981b521a424026926ad7f5d19a188e17491933e76269ad9a17a79ccc24", "comment": "Vulnerable Kernel Driver (aka VBoxUSBMon.sys) [https://www.loldrivers.io/drivers/babe348d-f160-41ec-9db9-2413b989c1f0/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cfb00a78-ae16-5cff-8e35-f551658c2d42", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148503Z", "creation_date": "2026-03-23T11:45:31.148504Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148510Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f76ca1c2916e039a9e9bf78005cdb54be966e01c2434022e866d419b2b0aca80", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cfcaf0fe-f7bb-5a67-8d07-f62b9fb4921a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618734Z", "creation_date": "2026-03-23T11:45:29.618737Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618746Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "057e6a58e3515e56eab85ccb8ec5086552b7de98c886c37f6a5284c002615565", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cfce64ea-e15c-5eb3-b2bc-013fdae358f8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469262Z", "creation_date": "2026-03-23T11:45:30.469265Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469275Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3bafb4e11a3823b3455728e938c69103dd4ff414529d9579b38b5ee12f77bce0", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cfda00f0-44ea-59f4-9f4c-cb16e21acf28", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147695Z", "creation_date": "2026-03-23T11:45:31.147698Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147706Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b6c4dd4cd8cd166a25ed08508864d26fdc309b84009c1431e3e44c6c733b5cbf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cfe2b979-e437-5182-92a4-3b9c2bed0182", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823417Z", "creation_date": "2026-03-23T11:45:31.823420Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823430Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5e3955aed83f0e304c0efbf18026eed1d85245cc2054cabf262df1e9654a8fdd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "cfe67115-ca9b-5cf5-9ceb-5d06f894293c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455501Z", "creation_date": "2026-03-23T11:45:30.455504Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455512Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff1ccef7374a1a5054a6f4437e3e0504b14ed76e17090cc6b1a4ec0e2da427a5", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d002d5bf-40ab-515b-b162-6c432b415b58", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490367Z", "creation_date": "2026-03-23T11:45:31.490369Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490374Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "27ae83e882c81045a7beaae03d886616e34e7501833f7f9e72297496d353bc39", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d0058350-395f-5d47-b7fc-0ef3c7b85594", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835055Z", "creation_date": "2026-03-23T11:45:30.835058Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835068Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b18bd2b50c20ec6604521c8124fd68b6993cbfd0cdfd1c6447aa8dbe99770baa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d00b46e4-94e0-51a8-8697-37fcb387dc30", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973305Z", "creation_date": "2026-03-23T11:45:29.973307Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973312Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5c0b429e5935814457934fa9c10ac7a88e19068fa1bd152879e4e9b89c103921", "comment": "Voicemod Sociedad Limitada vulnerable driver (aka vmdrv.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d013a2d2-b8e9-587c-a65e-0bd171642813", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823917Z", "creation_date": "2026-03-23T11:45:30.823920Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823926Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f7a53a1bcf34c5ab990eafcb598ec7df3089388a1dbe085e4b190c0b82a6ec99", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d0175763-87dd-5c01-abbb-71b86d9481f6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487308Z", "creation_date": "2026-03-23T11:45:31.487310Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487316Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a3a6b9ce2e106bfdb14cb1269c1f2f575c585ff36b3c69de2d4644a686939adf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d01af8fb-1a95-5e16-86d0-651f6d234e97", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830168Z", "creation_date": "2026-03-23T11:45:30.830170Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830176Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "79458431181462c1144b57d82ad913575876cdd8706a497c71db197a42f03f04", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d033b9eb-fdc0-51ff-9f4f-ef98c83e746e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609503Z", "creation_date": "2026-03-23T11:45:29.609505Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609511Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "35b1fdfa5cc9bb4a0d6e148140d59351447fa35c5c899e95da5f62a6b054af56", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d042018e-94da-543c-b5cc-cb0a939d5838", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143631Z", "creation_date": "2026-03-23T11:45:32.143633Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143638Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "55b5bcbf8fb4e1ce99d201d3903d785888c928aa26e947ce2cdb99eefd0dae03", "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d0493bf7-56bd-5ead-b4c9-b39f059ed711", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968150Z", "creation_date": "2026-03-23T11:45:29.968152Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968157Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "175eed7a4c6de9c3156c7ae16ae85c554959ec350f1c8aaa6dfe8c7e99de3347", "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d04aa591-d2d6-57c7-9120-7ea55a8cc728", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817817Z", "creation_date": "2026-03-23T11:45:30.817820Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817827Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "03df432d7ff56ed53fd050b1875f5a05dffbe1c999adf2dd6c8d790b7ffd2c2d", "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d04c93cd-9131-5b2c-83b6-1e86b4dd4e74", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978808Z", "creation_date": "2026-03-23T11:45:29.978810Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978816Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "26536758c2247b6251a342d2e80de1753c006a0dce9b3b8a6a5b1d3110c8fc34", "comment": "Vulnerable Kernel Driver (aka procexp152.sys) [https://www.loldrivers.io/drivers/0567c6c4-282f-406f-9369-7f876b899c25/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d0512981-146d-55d3-bf78-922ee5bb4151", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828720Z", "creation_date": "2026-03-23T11:45:30.828722Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828728Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f7a83480526e5e8bbba2d70f20998a1fec54379e97bbe4dac071206f62c59c15", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d0545242-fe00-5d92-b6fd-9708bb597c7a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453161Z", "creation_date": "2026-03-23T11:45:30.453165Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453175Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "76276c87617b836dd6f31b73d2bb0e756d4b3d133bddfe169cb4225124ca6bfb", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d05bb891-3652-5cdf-ad7d-22936c2fc818", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613512Z", "creation_date": "2026-03-23T11:45:29.613514Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613519Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3f44442f56f2ceb6213fce103466862ac750fb99038030003c1b42da35a43a83", "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d06835a0-027a-5118-a7ba-611302dd8f4a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474372Z", "creation_date": "2026-03-23T11:45:31.474375Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474383Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cae1049a8fecdbbd851889fe654e624ea73ca17fb093ab47842098f16318d9ac", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d0784d77-2d5b-54ac-aa14-0dcbaa4eff37", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608910Z", "creation_date": "2026-03-23T11:45:29.608912Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608917Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c9c86ba5ae540bb5729626cdaec89ca421f8129e4bbf6e1ea49c532b44ea0c9", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d07ac2df-d545-58bb-b2d7-26c26c5556d8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972861Z", "creation_date": "2026-03-23T11:45:29.972863Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972880Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "851961d7d327f813b5038f111f4ef31a38f8939ee7256603ccaa43dd5df742ab", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d08f246d-4a52-55f3-8aef-34b2014050bb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467893Z", "creation_date": "2026-03-23T11:45:30.467896Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467904Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d5f58cbce305cbd4397c1da5e1a51d78575c67616f6d9c7d764f87cda540fa62", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d08facc0-084d-51d0-9411-892415e3d826", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481042Z", "creation_date": "2026-03-23T11:45:31.481046Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481056Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2635d308d65dd8a508926fa2ac7845d7484051a8a2124e32f265abb20a9221d0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d09a0234-aa8d-5970-85ab-8b81cba5e529", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613969Z", "creation_date": "2026-03-23T11:45:29.613971Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613976Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7ea9b2420483183cf7b25d6577848f2dfe2ae064a61d931d6b8b65b31a1b2685", "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d0ad21ce-2c8f-5c66-a6b2-6feada0fbda0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979895Z", "creation_date": "2026-03-23T11:45:29.979896Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979902Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4b10f4f03eaa545d2fdb3b88890917a6fa24142689d3c43a7c39fc5bed5725bf", "comment": "Malicious Kernel Driver (aka daxin_blank2.sys) [https://www.loldrivers.io/drivers/2e1531b2-d370-4543-9e2e-5319a1c13c22/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d0aef066-0b58-505a-a1a8-4f49216198f0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619388Z", "creation_date": "2026-03-23T11:45:29.619390Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619395Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bc65d8ade2e72475a585307311e3058b3dbc4a7d2be6740c2c53a5902e698e7f", "comment": "Realtek vulnerable driver (aka rtkio64.sys, rtkiow10x64.sys and rtkiow8x64.sys) [https://github.com/blogresponder/Realtek-rtkio64-Windows-driver-privilege-escalation] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d0b0a482-264f-5e6b-9743-6774f4571a36", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490471Z", "creation_date": "2026-03-23T11:45:31.490473Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490479Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b9f4b0bde872ec87194f5519dac7dbddfec613002e4b2015ef035d7c46301a81", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d0b65c04-f43c-5147-b0f9-efca4cfc0ae6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984786Z", "creation_date": "2026-03-23T11:45:29.984789Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984794Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0aafa9f47acf69d46c9542985994ff5321f00842a28df2396d4a3076776a83cb", "comment": "Dangerous Physmem Kernel Driver (aka AsrRapidStartDrv.Sys) [https://www.loldrivers.io/drivers/19d16518-4aee-4983-ba89-dbbe0fa8a3e7/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d0c4b3a5-69df-5053-aa09-a5f09593d3a0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970600Z", "creation_date": "2026-03-23T11:45:29.970602Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970607Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "183ce4afa337da0edf454b6d1ae4c7f3b517751540813063fd69aa7ccb9dd4c0", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d0e162de-e7be-5114-b747-0b17ee380eea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154316Z", "creation_date": "2026-03-23T11:45:31.154317Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154323Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "76959cc4c02c08fe11c76a1390f5fe681470cb112b8e5dda1a07ebbf10f675f1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d0e2e060-c822-5e6e-b214-bb115e1e2cec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826815Z", "creation_date": "2026-03-23T11:45:30.826818Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826827Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8117b99bfa76722d593a60185368304e7eae96a2018430fb9382b740cc68ca7a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d0e58ad1-f1b7-5dbe-9ef9-1d7b5cf2e12e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153971Z", "creation_date": "2026-03-23T11:45:31.153973Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153978Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "007c79a894bb05c1e0a043a5a3468ae1b21c6bd28f77084045423200186691f8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d0e9d8a8-d11e-51a8-9829-1ad0a8239a2f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156091Z", "creation_date": "2026-03-23T11:45:31.156093Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156098Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "be335b1a16e6dcbe99f90c03756369969f88642a9a033bd797478f9a12d4bf74", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d0effe10-7cd5-5baa-b6b8-50f8aba063ac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141024Z", "creation_date": "2026-03-23T11:45:31.141026Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141031Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c702628c85e8c787562444eb9913a410644a9f7ebdb9e9257e233ace66f4299f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d0f154df-6017-5411-87b9-a542eaec2bc2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833726Z", "creation_date": "2026-03-23T11:45:30.833730Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833738Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5d6194270f505b49f7b1289249605bf7000b97f52aa9f06cb7c1e94c50d71d39", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d0fb6ec1-19e6-54c4-9ea9-e9c62583dfff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612317Z", "creation_date": "2026-03-23T11:45:29.612318Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612324Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e32ab30d01dcff6418544d93f99ae812d2ce6396e809686620547bea05074f6f", "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d10adcd6-224a-5685-8a40-93daddce5be7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828221Z", "creation_date": "2026-03-23T11:45:30.828224Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828229Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "91f63fb221f9cc3d3042f0def671b3c9d8aa6daab71b31ce4c49289788d6b89b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d121ded0-fcba-52f4-9dfd-601f6d45d7b5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477288Z", "creation_date": "2026-03-23T11:45:31.477292Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477302Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a874d95a024183c7f3f885180a4520b069df40e558598703cf56756510d97d49", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d1220561-9f6f-5a70-bcf6-49d61d933be3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607613Z", "creation_date": "2026-03-23T11:45:29.607615Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607620Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5f20541f859f21b3106e12d37182b1ea39bb75ffcfcddb2ece4f6edd42c0bab2", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d123778c-e263-5486-9dde-18562873d99e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824006Z", "creation_date": "2026-03-23T11:45:31.824009Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824016Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "85149fa4fbeaf225c5bf7e8b2f84b21e4305bc8fa61098e0d3b9cc437479958e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d12edae2-6cb1-5d32-9c37-dbe58dc94c27", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474330Z", "creation_date": "2026-03-23T11:45:30.474333Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474342Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c03f7e80857630277d292ad7324541cad38f652a199d94bc18a10aef98c8bfa", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d13ff1c1-c131-5584-9e70-4288ce1d297b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829575Z", "creation_date": "2026-03-23T11:45:31.829577Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829583Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a6f6ab1d4ee5f77b1333935ebb5afca18ed35c1773b940c4c9964329abe9be84", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d1503b27-3457-582a-be96-293a11e62ff6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145147Z", "creation_date": "2026-03-23T11:45:31.145149Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145155Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1be65ff6fb2f175ba8efcca55fd6ca238c817ca541735d4b89f9d771aaf682b4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d16b0862-f27c-5873-a067-d000aef2e18e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976410Z", "creation_date": "2026-03-23T11:45:29.976412Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976417Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d17b2db5-bced-5852-84f2-718f6666b0c1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814261Z", "creation_date": "2026-03-23T11:45:31.814264Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814272Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5de574260ae036244f729af8d2d84800254161363a5c2916279fef35c9c0aea6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d18089a3-090d-516a-9b37-b938fe531db1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974969Z", "creation_date": "2026-03-23T11:45:29.974971Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974977Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a4a7794cdb933d71f57cf9f31188c1152bdc9fc429e17a84c4f639942965311d", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d1ac343b-ae92-5a76-9312-ee659f7dc767", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972336Z", "creation_date": "2026-03-23T11:45:29.972338Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972343Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9f94d9180104c820c3d27f03e20f5bbc9d2a5bc2ae6e74baf2a848f2f1790ec8", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d1b07451-19aa-5dd8-9251-9277051296ed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825817Z", "creation_date": "2026-03-23T11:45:30.825819Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825825Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e58d77e44f08795e33c421b7c3659ba898ac371b6f2986334e09078755a4f20", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d1b2dddd-e643-5346-8487-b9634258fdd8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147935Z", "creation_date": "2026-03-23T11:45:31.147937Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147942Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "320d0e2f0f941424f2f1c4ace98203648db1f1ceebb02365829f0ffe6fc4c8fc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d1c9c98d-56e3-5c4c-9397-e7a014403630", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141290Z", "creation_date": "2026-03-23T11:45:31.141292Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141298Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2b4b0a78190d65994a711b909cc14097b72510006a042770bd0a9f1548b9464b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d1cd5a12-2903-5dbb-af5e-896d10ed6bc2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831513Z", "creation_date": "2026-03-23T11:45:30.831515Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831521Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0c7120fae962b3574d4953e088b1791c77482ec7dbb88ecd7acefd1934d91a77", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d1e4ea94-73c3-5785-817c-3fdd4125a984", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605717Z", "creation_date": "2026-03-23T11:45:29.605719Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605725Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f56db12cd91af1190611be06668b76f8456b8cbfd67b1b41e90a0aeeab61ebb0", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d1ee41bb-76ee-5d78-b3b5-2af43b5e7abf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812839Z", "creation_date": "2026-03-23T11:45:31.812841Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812846Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "10d4da8b187122f5f1b1168fec9eda3fcd829d03a763953234230d4005611a7d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d1eebb4d-5dde-58d5-899b-e8ee5afb4f63", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823749Z", "creation_date": "2026-03-23T11:45:31.823751Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823756Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab540cd5d179dab65b26b519e0d42e785776349d2d1b847e8d2592c324d86249", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d1f90a58-55a1-5699-bb20-0cfe472cbf6a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982624Z", "creation_date": "2026-03-23T11:45:29.982626Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982632Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "baa89ffd5255e5c72112ed57937353ae48a050c9af423cbde6b380978ecc235c", "comment": "Vulnerable Kernel Driver (aka driver7-x86-withoutdbg.sys) [https://www.loldrivers.io/drivers/d9f2c3d6-160c-4eb3-8547-894fcf810342/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d1fbdc3f-d254-5880-ba10-57334da1519f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.158822Z", "creation_date": "2026-03-23T11:45:31.158824Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.158830Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c58c16ad52d4f2ef42ee77c5e46aa315c8d412833b36ce54034a9a43c18f533", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d1ff7cab-69da-53e3-bf34-f3f0fe1bd8a6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144464Z", "creation_date": "2026-03-23T11:45:31.144466Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144471Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dadef39b191a5c4e4007a9720560d7e39b913b12556295fe11b3b0ca923a0e59", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d2005d8f-7c42-5a45-b3bd-dac6934ff79b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832862Z", "creation_date": "2026-03-23T11:45:30.832865Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832888Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e30a49fce3e7db881497882c0a846b8f9834acd7443f895b1d40eaaad5f87d0b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d2229195-9c0d-57cc-af75-7ce8a31c0d27", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616922Z", "creation_date": "2026-03-23T11:45:29.616923Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616929Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "846cc7c9bf2eab3400e66481568a010fb0dfbac01416a99258a4baabf1e10d35", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d2249eee-afff-58b6-a4a3-81a4acfc1203", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620238Z", "creation_date": "2026-03-23T11:45:29.620240Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620245Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "607dc4c75ac7aef82ae0616a453866b3b358c6cf5c8f9d29e4d37f844306b97c", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d2287136-c99e-52e3-8252-aa56fd089000", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477666Z", "creation_date": "2026-03-23T11:45:30.477669Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477679Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "828a18b16418c021b6c4aa8c6d54cef4e815efca0d48b9ff14822f9ccb69dff2", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d232e2e3-a3b0-5ea6-88c0-81ca9e6b3933", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620780Z", "creation_date": "2026-03-23T11:45:29.620782Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620787Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b47be212352d407d0ef7458a7161c66b47c2aec8391dd101df11e65728337a6a", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d23ab5aa-cc19-5bc6-82b5-a074bc6c9317", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816283Z", "creation_date": "2026-03-23T11:45:30.816285Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816291Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1a450ae0c9258ab0ae64f126f876b5feed63498db729ec61d06ed280e6c46f67", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d23dce60-e7fb-52fd-9d64-54b57653d087", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495437Z", "creation_date": "2026-03-23T11:45:31.495439Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495445Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ca64e58831171214a5f49d3c2ae83c46669b022c4bbb4ab4f49ab7ac0fc5fd67", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d25363fc-6497-5df1-b3ba-d6726bb6e4d7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821982Z", "creation_date": "2026-03-23T11:45:30.821984Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821990Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fb3176deae54472750747167287284c3cda5e14248ee10844305f322adcb81cd", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d25af5ed-5ae9-5018-8992-65353fe7079b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459737Z", "creation_date": "2026-03-23T11:45:30.459740Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459749Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6709a2d7925248fe172e9bc5495f45b9bb74060c43e1c58e671f0e6c434fd82b", "comment": "Vulnerable Kernel Driver (aka test2.sys) [https://www.loldrivers.io/drivers/6356d7d9-3b82-4731-9d5f-cc9bc37558fc/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d26f861f-e07a-59a8-8371-721a13f168fa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490226Z", "creation_date": "2026-03-23T11:45:31.490228Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490233Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f0ac2c9641ea50b272f1a2cb08a88ead32edb2de195df812449289be84f8c62f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d27183e2-c2de-5b8e-81c7-9ec653d0e0c3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976742Z", "creation_date": "2026-03-23T11:45:29.976745Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976754Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ef9e759f95645dbce0c49fe1e97838051a67c42995953778a651e3d8d017217", "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d271e804-f286-57e3-89b6-59dada33c423", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159246Z", "creation_date": "2026-03-23T11:45:31.159248Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159254Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "79e7bcc95f41c982a31e879826379c810340acdd5c8edc1493e06fd46e4fa893", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d27fc381-1eb0-5e9c-ad63-fbcdca0e6641", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823918Z", "creation_date": "2026-03-23T11:45:31.823921Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823929Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c04912772a57ed2d216458e80775cba8ef389b777beee0556128230b7ad5ced0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d28a4c5e-ccad-55f2-8977-d0c535df5171", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981111Z", "creation_date": "2026-03-23T11:45:29.981113Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981119Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fa21e3d2bfb9fafddec0488852377fbb2dbdd6c066ca05bb5c4b6aa840fb7879", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d29454b7-f813-5cb0-9adc-0f7fc6cfe15f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833507Z", "creation_date": "2026-03-23T11:45:30.833510Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833519Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c007d8eb2f4a41275b9bc2850e37a40f699d2c94c4abce164ce236eaaf7ca7c0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d29b0584-ef2d-5ba9-a2bb-717e94786590", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146168Z", "creation_date": "2026-03-23T11:45:31.146170Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146176Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "852e9260b9ee80f78ba23936fbb9e75eb7a841a9f9e486af65fcdac855884e64", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d2a3877c-5c78-595d-b0da-8b4af75129d0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472344Z", "creation_date": "2026-03-23T11:45:30.472348Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472357Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f8d6ce1c86cbd616bb821698037f60a41e129d282a8d6f1f5ecdd37a9688f585", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d2a72fd1-485c-59fb-aaf3-6118a99ec421", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493626Z", "creation_date": "2026-03-23T11:45:31.493629Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493638Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c9dbc78d1953e9a177d2eac79f5a4174ea65a1889a99a356f3a6412ec3ba397", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d2a94f44-76dd-5f03-9a4d-aaa73cb1f5a6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835807Z", "creation_date": "2026-03-23T11:45:30.835809Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835814Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d3e4b057da5d3e93d142cee093c78e6f59e0b1fbc85a4dc32af7d53c998945f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d2aca4c7-4823-5544-a052-8eb8221c7b87", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.496036Z", "creation_date": "2026-03-23T11:45:31.496039Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.496045Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2fc41b0d0bbd4e623dcc2f0435392126f3fa0f36b68708d63cbf7e0ef4b2e4d7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d2b0b9b1-5432-5bcd-a67a-c9bfd8b63486", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620883Z", "creation_date": "2026-03-23T11:45:29.620885Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620890Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d453110c9050320419c2064ddea08230de6c76f86b07dc58112208e3d24a809e", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d2b4db88-547c-590a-9229-52eff1c2577b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153471Z", "creation_date": "2026-03-23T11:45:31.153473Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153478Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "74d3f294eccc335ec98050f305f49bb6465568c964ba1665047665b2661a7565", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d2bcf3bb-3e1f-56bb-8541-01cf265309ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611677Z", "creation_date": "2026-03-23T11:45:29.611679Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611684Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd7754a6ec6bf19724fb266ec4f1d02607e9b310791d8725d7db5ac84d5430e2", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d2bd5269-d37b-5526-aa34-782af4260050", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477230Z", "creation_date": "2026-03-23T11:45:30.477233Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477242Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d80714d87529bb0bc7abcc12d768c43a697fbca59741c38fa0b46900da4db30e", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d2c0d129-4373-5ad4-b06e-d59c34924505", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615398Z", "creation_date": "2026-03-23T11:45:29.615400Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615407Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9d734d6443a707d601d76577692dc613b35201518856d0189b037f7a4fbd420d", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d2c5bb23-c541-5702-aecf-e2f17e620e69", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460737Z", "creation_date": "2026-03-23T11:45:30.460740Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460749Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0aca4447ee54d635f76b941f6100b829dc8b2e0df27bdf584acb90f15f12fbda", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d2d7f25a-7773-521a-8533-602d8b820b19", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826710Z", "creation_date": "2026-03-23T11:45:31.826713Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826718Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d8b79681480130e33478c8a922ab98b35d3f9b4f2f1fd15d3047448014193098", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d2e29b3a-5e8a-5e38-b37a-c4713e596759", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817592Z", "creation_date": "2026-03-23T11:45:30.817593Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817599Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a6c11d3bec2a94c40933ec1d3604cfe87617ba828b14f4cded6cfe85656debc0", "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d2f0926f-f8b0-5098-85fb-5385fbd3f2f5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487451Z", "creation_date": "2026-03-23T11:45:31.487453Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487459Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "515c61e521dce56afd4814e8c6810dc9b325fe4c4c1ff90ecf2434bf2869e816", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d2f53f1e-43ab-522d-8216-bbd553a6c4c4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824184Z", "creation_date": "2026-03-23T11:45:30.824187Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824192Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ce6636dd6b217d50a39eeaf3dcdcaf0643aeb1caacb4353f60e208e6e7d1ab11", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d2fd906e-e1bd-5045-945c-a9bf508b818d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823034Z", "creation_date": "2026-03-23T11:45:31.823037Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823046Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e11a326b6f516502e5dd37c4a1867ed6f47f2f008e1e562f26c4a09af2466297", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d3091249-23e5-54e2-9211-9e24d22d0dfa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153907Z", "creation_date": "2026-03-23T11:45:31.153909Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153914Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5ee3f6dc6ce25126481c4ab68f01344a8c8c7f68d0fabc61a9c02a82c2f91e3a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d30913ba-c66d-5525-b61a-a8f02ee87f4c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829554Z", "creation_date": "2026-03-23T11:45:30.829556Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829562Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "877fffa31cfbcb74d20d770abac91a76c686b1d315326eb14285bc6c92366cbe", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d313e4c7-4189-5d51-b8bb-a2ce072f81d8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980768Z", "creation_date": "2026-03-23T11:45:29.980770Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980775Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "06508aacb4ed0a1398a2b0da5fa2dbf7da435b56da76fd83c759a50a51c75caf", "comment": "Vulnerable Kernel Driver (aka PanMonFltX64.sys) [https://www.loldrivers.io/drivers/40bfb01b-d251-4c2c-952e-052a89a76f5b/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d32ff0d2-ca03-5c34-aa67-079960f93ed5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477611Z", "creation_date": "2026-03-23T11:45:31.477615Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477625Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2414ad09451dae4811952d9696de5e37658091dc0363bc96cf0985ff19e9d97a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d338006c-56ad-5d48-bb8f-f2080ceea0f5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621124Z", "creation_date": "2026-03-23T11:45:29.621126Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621131Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7a20ca8f9361eb892257b3693095ffeee61457dc4e22d9b119e3a9f3a1507069", "comment": "CoreTemp Physmem dangerous drivers (aka ALSYSIO64.sys) [https://www.loldrivers.io/drivers/4d365dd0-34c3-492e-a2bd-c16266796ae5/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d33e4e78-526a-5941-a46c-53471b051b37", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485644Z", "creation_date": "2026-03-23T11:45:31.485647Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485657Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "71ec6fc98c2a2c577e13745f0ef4637d780af82fa569985eb584774669a20cda", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d33f9717-2c0c-5308-9b71-ba6da332678d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155523Z", "creation_date": "2026-03-23T11:45:31.155525Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155531Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eddd681692bb34b3025fefe4880792c5358bd41c61c89c6aba47ca110526e9a4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d342b358-667c-5b9a-b72d-a0b59cd4753a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831766Z", "creation_date": "2026-03-23T11:45:30.831768Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831774Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c3f7b3e020495d9742a9211d64adb93b2950bdd6748c101208f446cbd872e5b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d3503940-6000-529f-8a0b-1df34e5d34c3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621811Z", "creation_date": "2026-03-23T11:45:29.621813Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621819Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b1af050481bda270a08ae873224a142c8b2119eeda59d3a04b1f6d66715a8c8", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d36ad9dd-0ee6-50a9-8c51-53db71c353b3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830651Z", "creation_date": "2026-03-23T11:45:30.830653Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830658Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e6177613652eaf63a2cfc1bd377b5159980f2fb2ce12b88c2ad92a0e89157381", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d379808e-a35d-56ae-8b3e-750e784973ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495922Z", "creation_date": "2026-03-23T11:45:31.495924Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495932Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "20f7eb43732e7813d3af0a34e543f0cd3ebfc20f2c0f33139e0b3fe03c49dc45", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d37ca3f7-2cc8-5fe4-9558-9c5f29072061", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984493Z", "creation_date": "2026-03-23T11:45:29.984495Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984501Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fb2e8e98a58329e86a1ee310fe9dfce7056f4a0ede380eee8768c51b5870c433", "comment": "Vulnerable Kernel Driver (aka inpout32.sys) [https://www.loldrivers.io/drivers/97fa88f6-3819-4d56-a82c-52a492a9e2b5/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d3851bce-2f35-5e05-b403-daf2a9dec365", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815579Z", "creation_date": "2026-03-23T11:45:31.815581Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815586Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "91fab8e79aebe13dc687702d6a7ccbf9293050fafd9b7d443b5000c40d408cec", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d38b5a39-e354-5a16-8366-0051b28079a2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811898Z", "creation_date": "2026-03-23T11:45:31.811900Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811906Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e41e80a36e3e5f9c6444a626350712e2c12614f2256ada671e0218b24f46120d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d3922563-da8b-58cc-af9d-155962770749", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479202Z", "creation_date": "2026-03-23T11:45:30.479205Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479211Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "85686a6dec96776c2e8510fea7ca198b84429fb0b756a2d87ee1cc4570ac9b87", "comment": "Vulnerable Kernel Driver (aka NCHGBIOS2x64.SYS) [https://www.loldrivers.io/drivers/d2806397-9ceb-47c8-b5f3-3aabec182ff5/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d3969778-ce1d-52d9-91d2-6cd5f3719a96", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829577Z", "creation_date": "2026-03-23T11:45:30.829581Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829589Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b27c91559b2f4f1736685edee9f9e250dcbd91b479aaae27bbb3ca5b37deb052", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d3a41f63-f28f-53b4-b367-0dc912d403a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472554Z", "creation_date": "2026-03-23T11:45:31.472557Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472566Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "14156ba6bb21cb431a2d70a16df7a54ad7d94febdc4066654b565552098f5f83", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d3aa06f7-b993-5fb1-b89b-b7bb9c9453f8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816574Z", "creation_date": "2026-03-23T11:45:30.816576Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816582Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bcaeac1a4a51b210bfc5ebdb6f797797299a171e0b6d50aa8f9bcdb45a51d629", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d3b353f4-4447-5219-999b-5c6e6d4eadbc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488483Z", "creation_date": "2026-03-23T11:45:31.488485Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488490Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a3fb8d303387f8036e38525aa384030a6e3bc79697f8c5e48188347c7d2704b7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d3d2d931-f613-549d-82aa-1372d91432a4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824058Z", "creation_date": "2026-03-23T11:45:31.824061Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824068Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6b0d607abf3d48c6ac77185644fe98a87dc795fe302686464cc700dcb8dfa19b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d3e51087-bb5b-5b87-9d98-6723f79f3224", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461837Z", "creation_date": "2026-03-23T11:45:30.461841Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461850Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47356707e610cfd0be97595fbe55246b96a69141e1da579e6f662ddda6dc5280", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d3e55608-eccc-5b02-b8ec-eef60cddcf0d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492485Z", "creation_date": "2026-03-23T11:45:31.492487Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492493Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "600a17409fa52c474a72ab3f5d85817ef052954f81055f558054ecf575808b4a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d3ebe340-1af9-5faa-ae16-85fc43f7668a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481079Z", "creation_date": "2026-03-23T11:45:30.481081Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481087Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5c3ac6f22b3f1614ad0c01c180421f7588460accba5065562bf735d24bd3c674", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d4082f0d-8d50-5184-900d-0634dcbbf8a0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830499Z", "creation_date": "2026-03-23T11:45:31.830501Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830506Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1aed62a63b4802e599bbd33162319129501d603cceeb5e1eb22fd4733b3018a3", "comment": "Vulnerable Rentdrv2 Driver (aka rentdrv2_x32.sys and rentdrv_x64.sys) [https://github.com/keowu/BadRentdrv2, https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d40b5174-6f69-5a46-84cc-5e170c407b67", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820929Z", "creation_date": "2026-03-23T11:45:30.820931Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820936Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "39134750f909987f6ebb46cf37519bb80707be0ca2017f3735018bac795a3f8d", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d422193a-dbfc-5ece-9450-f79eaa4e60a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819088Z", "creation_date": "2026-03-23T11:45:30.819090Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819096Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "533b8138ab8f776008ff8918c8cfa52604e43efca4e39da5096404c8424084b7", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d433523c-2392-5f7d-aa32-b6f6565a52c5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976625Z", "creation_date": "2026-03-23T11:45:29.976627Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976632Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "13cd99ff2120d9fd651814d826b6c8481d549f684a8fbfb2d8775c9faa1c27f5", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d45ef7ea-b157-5a73-a60e-f9f747a74eda", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143165Z", "creation_date": "2026-03-23T11:45:31.143167Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143173Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f2e0da56010ce28e88a10a08ee98b7015faad016243928b9b8426ef912eb057", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d4685b73-e054-51d9-adff-cf9145dcbc77", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818084Z", "creation_date": "2026-03-23T11:45:30.818086Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818091Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "76940e313c27c7ff692051fbf1fbdec19c8c31a6723a9de7e15c3c1bec8186f6", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d46e1471-4e84-5d89-9691-f9b84b80c2ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620496Z", "creation_date": "2026-03-23T11:45:29.620498Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620503Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c8dfa14888bb58848b4792fb1d8a921976a9463be8334cff45cc96f1276049a", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d47e7efb-c7ef-55dc-96d5-3dd1da19526d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476661Z", "creation_date": "2026-03-23T11:45:31.476665Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476675Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0369c017c4d9d03e1399c31ef0857c94f9b4a759151e1f7dcefb78b76bd86ad5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d489c95f-23c2-55a8-b43b-29575820c453", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978118Z", "creation_date": "2026-03-23T11:45:29.978120Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978125Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a4ac619fb531793945ad4c72bdd809ebd38512fc234aa452cb8364ee05465a7b", "comment": "Vulnerable Kernel Driver (aka BlackBoneDrv10.sys) [https://www.loldrivers.io/drivers/722772ee-a461-48ec-933d-f3df1578963e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d48f7729-0e8c-5b4d-85c7-2435444e071e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463156Z", "creation_date": "2026-03-23T11:45:30.463159Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463167Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c42c1e5c3c04163bf61c3b86b04a5ec7d302af7e254990cef359ac80474299da", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d4934a41-6399-58da-9792-2d15e83ab4ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611847Z", "creation_date": "2026-03-23T11:45:29.611849Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611854Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "247aadaf17ed894fcacf3fc4e109b005540e3659fd0249190eb33725d3d3082f", "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d49b4bc1-1750-5a85-aa8c-b4a14b095e91", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471162Z", "creation_date": "2026-03-23T11:45:30.471165Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471174Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d15a0bc7a39bbeff10019496c1ed217b7c1b26da37b2bdd46820b35161ddb3c4", "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/fbdd993b-47b1-4448-8c41-24c310802398/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d4d17544-6fc3-5f62-9746-36cafa10f69a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984355Z", "creation_date": "2026-03-23T11:45:29.984357Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984363Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "945ee05244316ff2f877718cf0625d4eb34e6ec472f403f958f2a700f9092507", "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d4e81788-1731-517f-a25d-040acd961ee7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140345Z", "creation_date": "2026-03-23T11:45:31.140347Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140352Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b33b3a531fc9b0d0353b218a6b0abfdf4094c8eec8b7403da1088eb9916f4741", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d4ee88a1-4146-5737-ac5b-be1589934f0a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.161111Z", "creation_date": "2026-03-23T11:45:31.161113Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.161118Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "716d44fbbb56c412b9307a7e5d666d1e166e8d2fa3e5e07cf34e9c5bdc4770ef", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d503b77e-f329-50c3-a63f-151e515a02c6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466157Z", "creation_date": "2026-03-23T11:45:30.466160Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466169Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8206ce9c42582ac980ff5d64f8e3e310bc2baa42d1a206dd831c6ab397fbd8fe", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d51a04e4-66c5-5bbb-8d46-0b31a85a8104", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813667Z", "creation_date": "2026-03-23T11:45:31.813669Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813674Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0fd8ec1bd57418e63f9f752ed48e5183221543fd5e4d8b2dba60fa8590433978", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d52667b7-fe4b-5476-aa1e-eefabe930e5d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984564Z", "creation_date": "2026-03-23T11:45:29.984566Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984572Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7e96edcd1d5daeb7cbbc2602e9cdf2fd6723cbde0cfcf65eded6d02b58c58473", "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d53903c7-00b6-53f5-99f6-1a0abdc55de4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488759Z", "creation_date": "2026-03-23T11:45:31.488761Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488767Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "045df00af2228ec0219665623a5a6145e9a55e39d88e0b916dfcfd1de3186efb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d546c29e-4f59-5ca0-9608-9642a9dd0923", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458022Z", "creation_date": "2026-03-23T11:45:30.458025Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458035Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f77fe6b1e0e913ac109335a8fa2ac4961d35cbbd50729936059aba8700690a9e", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d547e928-c81e-5089-887d-6b306a6cbc9f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145344Z", "creation_date": "2026-03-23T11:45:32.145348Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145356Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fdf15402013191f701086e188d88041481f1562aa43e4ca8a21f4d489e791a36", "comment": "Vulnerable Kernel Driver (aka SeasunProtect.sys) [https://www.loldrivers.io/drivers/3a9ea9a6-e5e3-439a-b892-1f78dd990099/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d54de769-b192-5f54-89ae-caa79107b1bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968060Z", "creation_date": "2026-03-23T11:45:29.968062Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968067Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "71a12491b91eff58d2c834160bf8eb03be2e78548c9d06f435b31d9e7dcaecd8", "comment": "Projector Rootkit malicious drivers (aka KB_VRX_deviced.sys) [https://twitter.com/struppigel/status/1551503748601729025] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d563ccb2-9a1e-5c5d-976f-06fbf2b613a4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978597Z", "creation_date": "2026-03-23T11:45:29.978599Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978604Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "635273eaa4c2e20c4ec320c6c8447ce2e881984e97c9ed6aeec4fad16b934e81", "comment": "Vulnerable Kernel Driver (aka bwrsh.sys) [https://www.loldrivers.io/drivers/974de971-1f78-47b9-8049-6c34f294acd5/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d575975a-d1be-5e7f-ab24-10783b482040", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452217Z", "creation_date": "2026-03-23T11:45:30.452221Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452230Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b531f0a11ca481d5125c93c977325e135a04058019f939169ce3cdedaddd422d", "comment": "Vulnerable Kernel Driver (aka mhyprot3.sys) [https://www.loldrivers.io/drivers/2aa003cd-5f36-46a6-ae3d-f5afc2c8baa3/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d5a842a5-67e6-5e8b-bde2-a999c285fd5e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156518Z", "creation_date": "2026-03-23T11:45:31.156519Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156525Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "db77b9e868b942f5a4e7779e210b73699ff8f26dc7e92acc39ddc614e73374e6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d5ab7150-9289-5e04-85b4-e6aa51a17667", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613858Z", "creation_date": "2026-03-23T11:45:29.613860Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613865Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "15bc804877a607ba0d017df9f6ac951ac7ffbcca8069c5ba28e0cf505f7553b8", "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d5b2b465-2733-5f3b-98ff-edbdaa4f1e2c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493569Z", "creation_date": "2026-03-23T11:45:31.493572Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493581Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fb27b99f572f95051a227285e5adbc4c4135952f8b54323a3b9c19bda2082ab2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d5b8bb83-4dc4-58c5-a900-2599dc102649", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616686Z", "creation_date": "2026-03-23T11:45:29.616688Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616693Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "42579a759f3f95f20a2c51d5ac2047a2662a2675b3fb9f46c1ed7f23393a0f00", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d5c10855-2efd-5a3a-962a-4ecddd197f77", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143224Z", "creation_date": "2026-03-23T11:45:32.143226Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143231Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5f69d6b167a1eeca3f6ac64785c3c01976ee7303171faf998d65852056988683", "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d5c67434-06e4-5fb0-aca7-c87df30dda42", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459985Z", "creation_date": "2026-03-23T11:45:30.459988Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459997Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "516159871730b18c2bddedb1a9da110577112d4835606ee79bb80e7a58784a13", "comment": "Vulnerable Kernel Driver (aka LgDataCatcher.sys) [https://www.loldrivers.io/drivers/5961e133-ccc3-4530-8f4f-5d975c41028d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d5d7fd6e-ebd8-565b-add0-af8148705c4c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831218Z", "creation_date": "2026-03-23T11:45:30.831221Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831226Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7d7b33f39fb712a114231a1ecf58d45f08eb6d4100556f24cd55bc3468a5b9fc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d5db8dcf-d2b3-55b4-897e-bcdc8d1aa417", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143580Z", "creation_date": "2026-03-23T11:45:31.143582Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143587Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0bcd8bd506d8390fdf85aa91ef40b359001cb09e9c45696c31ff5289c422a846", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d5ea6323-e034-5703-bbde-bff56bfae436", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834132Z", "creation_date": "2026-03-23T11:45:30.834135Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834144Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "699e84d8ff00dff1056c826b06f8d9514cbc5316c6087a3badb5654ee7e4c217", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d5f85186-cbe9-5919-b46e-6ab01af72170", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500148Z", "creation_date": "2026-03-23T11:45:31.500151Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500160Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7e6e5e688c858122474f0f37d8dd28a7daf57fb6962312b30ec88a1c077dad14", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d5fb55f4-fcb7-59a5-8ec0-ab3d97a3ab19", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968910Z", "creation_date": "2026-03-23T11:45:29.968912Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968917Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "34e0364a4952d914f23f271d36e11161fb6bb7b64aea22ff965a967825a4a4bf", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d61a06c9-d5ba-50c0-97d8-ad9e24b7fc9b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835405Z", "creation_date": "2026-03-23T11:45:30.835408Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835417Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8a86b668e2380d290a8c6dbaf06ab2582647d7badc69cfaedb9bff4d7cdd26cb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d631d6b0-5bcc-5a43-a717-503732debd1d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822300Z", "creation_date": "2026-03-23T11:45:30.822302Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822307Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "10576dad4928b01c21ecd2ed9914abba8bf4edae964d5d9d3c0d64ec7657f3d3", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d63a9d72-d64b-509b-96b6-b12ed14c1883", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818225Z", "creation_date": "2026-03-23T11:45:30.818227Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818233Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8edab185e765f9806fa57153db1ede00e68270d2351443ee1de30674eca8d9b6", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d640a694-1b9a-5cfc-a204-173629b14aae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149006Z", "creation_date": "2026-03-23T11:45:31.149009Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149017Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "77260b530b6da96800832d1b3192aced006d2c9ad5cc89227e060ddaae7ea32a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d654ce02-481d-547e-b2c0-06bc5af2318b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499984Z", "creation_date": "2026-03-23T11:45:31.499987Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499995Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e84ee3a620bcbbc803c063f817482f79a1b2706ca4576b091d8c970a99a13a4b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d659f295-640e-54dd-8166-22be7c09a18c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622527Z", "creation_date": "2026-03-23T11:45:29.622529Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622534Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0bc3685b0b8adc97931b5d31348da235cd7581a67edf6d79913e6a5709866135", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d6672950-b0f6-514a-89c0-663789a4039c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979186Z", "creation_date": "2026-03-23T11:45:29.979188Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979193Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "29a2ae6439381ea2aa3116df7025cbb5c6c7c07cc8d19508e6021e4d6177a565", "comment": "Vulnerable Kernel Driver (aka elrawdsk.sys) [https://www.loldrivers.io/drivers/205721b7-b83b-414a-b4b5-8bacb4a37777/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d66c7766-ac85-5795-9dd6-df5842317d2c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823580Z", "creation_date": "2026-03-23T11:45:31.823583Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823590Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "659060d15fc1fc553cb80225b237919a686914f7590b989e10fb72ed9938930b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d673273a-c871-5b8d-9d2e-4286ec032beb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151090Z", "creation_date": "2026-03-23T11:45:31.151092Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151098Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5d7043b497c802662a026c9c9f90941cbc5355aec498a8955a8e03fa2f85af1c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d6741839-f890-5333-a8a5-429a98d886a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824983Z", "creation_date": "2026-03-23T11:45:30.824987Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824996Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c823e63427821411c03f3d8706d08a456352b9c9e34340adb2a3c3e34742229c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d674455d-d9e0-58dc-be7c-e8562562c1a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149844Z", "creation_date": "2026-03-23T11:45:31.149846Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149852Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3b183048baf9ead5313607e82e599c973838d9ef4099dcafd11b123c0bb62201", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d67a44ea-f60b-5a3d-84da-36782e7ea480", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985630Z", "creation_date": "2026-03-23T11:45:29.985632Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985638Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8578bff36e3b02cc71495b647db88c67c3c5ca710b5a2bd539148550595d0330", "comment": "Malicious Kernel Driver related to WINTAPIX (aka WinTapix.sys and SRVNET2.SYS) [https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d681726d-1982-5f87-a990-65e10c4729ac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145036Z", "creation_date": "2026-03-23T11:45:31.145038Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145043Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3aebda5c4cf4decc4b2d87e9662d7f0df2b84795d341511ddf5e015f23f96a6b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d6886abc-6dc8-5e14-a44a-23df35b29746", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614266Z", "creation_date": "2026-03-23T11:45:29.614268Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614273Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5bf00eff58e5bbe4cf578ec37b9e13c8fa74511fb2644352fcc091347153a709", "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d688ffe5-f2a6-5e06-852e-a4d396eecf70", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481455Z", "creation_date": "2026-03-23T11:45:31.481458Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481468Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d0db7c736c1e7db87e28cae1b7a36e74f502a9f719ff28308cbce184c8426a51", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d68ab78c-a7e2-58f8-bb64-af8b9ec2312b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151679Z", "creation_date": "2026-03-23T11:45:31.151682Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151691Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4337c501957262ec0285860e07d7d2c94f2dffb0df9cf41597162cc9d2cf89ac", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d6ce4e88-26be-5f83-9c5f-84c58436b13e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468773Z", "creation_date": "2026-03-23T11:45:30.468776Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468785Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4b5206b5928e03929cca1eda3f12e6df14b31f80e8c16c1bb29109c072053b90", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d6ce8f92-23cc-58f5-92e7-841970f524c2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492730Z", "creation_date": "2026-03-23T11:45:31.492733Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492742Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7ae7329aa54c405421b8ee778dd6e20f8058bd137eae79b2acd20d89fca273d1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d6d3e514-c6a8-5eed-9c09-6cdb5c956e24", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156938Z", "creation_date": "2026-03-23T11:45:31.156940Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156952Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e507b8b6b9fd0275e858d721ba6dd3ce7864a9f4822e97c0cc5338facece8305", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d6db1ed1-9f82-52da-961c-d220a7cedc40", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499667Z", "creation_date": "2026-03-23T11:45:31.499670Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499679Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "71760362ea4f35cd3fc3b4a3a002f4f5e04f83b20efa81c4b865543ed00240ad", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d6db3855-2fa1-53ed-b829-cacde9330ec3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622892Z", "creation_date": "2026-03-23T11:45:29.622893Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622899Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "38fa9b5b66a11fd7387012c5c4bbd414eca8361273d57dba1e49aa6af23337f3", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d6dc7499-f4d1-565f-93b0-d8496a6e3331", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818719Z", "creation_date": "2026-03-23T11:45:30.818721Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818726Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c80a2d3a0ef4ce0a3aec62e9d15b50679dec4cccb69a5c0b72529641ebfa5f4", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d6de2e19-8305-5310-b303-bc676760fc01", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472230Z", "creation_date": "2026-03-23T11:45:31.472234Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472242Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "85a626153de212444496be7c28c61a0a49b672d88de0f3de4794558ec3613d5d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d6e429ba-60b2-5eec-9cfd-b3c4f6b95a0a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816862Z", "creation_date": "2026-03-23T11:45:31.816865Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816890Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0baee4e0bf0c33bab6bba5fb6a644f67a53e58fe66fb98d17a229e39d8a01931", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d6e6e0db-492a-5a99-8903-c31c61f6c3ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468824Z", "creation_date": "2026-03-23T11:45:30.468827Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468834Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "35d552d7603a26ea7ed111bd865cddaf7aa342481c89af7b2697beb25b99e829", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d6ea952e-ec86-5186-988c-0c30d24a8a23", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830580Z", "creation_date": "2026-03-23T11:45:30.830582Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830588Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a9181974503438d60ceac451fe075011f5167ea835a77b650a654b4e34f16497", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d701418c-9f92-5c43-9a27-15015c453755", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459244Z", "creation_date": "2026-03-23T11:45:30.459247Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459256Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8017e618b5a7aa608cc4bce16e4defd6b4e99138c4ba1bdd6ad78e39f035cf59", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d70f5fa2-c778-54dc-8814-d6becc0157ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808761Z", "creation_date": "2026-03-23T11:45:31.808763Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808769Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d2e8a4753abb0176692e89baf9607cc58b6d498a3fb2d4da095ab4a41a793702", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d715e8e2-2a88-52a0-a50a-06f9cb894618", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813034Z", "creation_date": "2026-03-23T11:45:31.813037Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813045Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "839790b1272d3e7f8315b01b3dd41501cf6b12cab5688dc65c0dea98b5a116d0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d7220389-1b3a-507d-8ed7-06bc5c3f4ac4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144782Z", "creation_date": "2026-03-23T11:45:32.144784Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144790Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5aded75d6beb315849f698a78f8033de26eb151955a1cbc01e3037320e2a0eb6", "comment": "Malicious Kernel Driver (aka windivert.sys) [https://www.loldrivers.io/drivers/45a31a17-f78d-48ec-beba-74f6bfc5f96e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d7455733-b796-59b0-9c5d-398e34a5a3a5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821619Z", "creation_date": "2026-03-23T11:45:31.821621Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821627Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0bcf09a59e2deb358e822f635df4a866721ea739a68e1225ea0aa029abfd6bdf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d747e1e9-d3b4-5c37-946b-5b55047e41a0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611728Z", "creation_date": "2026-03-23T11:45:29.611730Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611735Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "991228f3ea6c1ae8083aa405d1d066e48cd6dbd7d6bc01c81599b2c28f3923f1", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d7482fcb-4d34-51d3-a979-a42fdbaeaaa0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980464Z", "creation_date": "2026-03-23T11:45:29.980466Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980472Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "982ad43111d8b7a7900df652c8873eeb6aa485bb429dee6c2ad44acf598bb5e6", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d75ed853-499a-53bc-adb6-6a12ba145202", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476852Z", "creation_date": "2026-03-23T11:45:31.476856Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476866Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a32f9b83a80e09b28163c70af0d0ffff7acc7f7b63ddc3286c589bc741e41cf6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d766b573-7b05-5f68-a092-5ebf08e3ac88", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486396Z", "creation_date": "2026-03-23T11:45:31.486399Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486406Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8210184d342da90354402e53fa09d6ba0173c3305c41072fd6a2ce79b0524a53", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d76b90ba-6963-5e2c-b282-8885f3b25b6f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461724Z", "creation_date": "2026-03-23T11:45:30.461728Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461736Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "edeb35e4341034b2de389017c4884b081a821f34349a620897a2a845c84cb09e", "comment": "Vulnerable Kernel Driver (aka mhyprotect.sys) [https://www.loldrivers.io/drivers/7abc873d-9c28-44c2-8f60-701a8e26af29/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d7766e4a-08d0-5e7c-8a14-30db3a3dadc8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818754Z", "creation_date": "2026-03-23T11:45:30.818756Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818762Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8f69fa6128acbaa8217454ff22eb7fb9be1e841ed47116e7616749600b4bfc4d", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d780e75f-cab3-5af0-81c7-18889b59dee3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815253Z", "creation_date": "2026-03-23T11:45:31.815255Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815261Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fad7be43548a35c9916a1765b6388710989f2d283cc60f8783a77651a97149cf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d784f743-22d8-5d02-ad40-28cd9e5d36dc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975166Z", "creation_date": "2026-03-23T11:45:29.975168Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975174Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f6cd7353cb6e86e98d387473ed6340f9b44241867508e209e944f548b9db1d5f", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d79a7bdc-344c-5733-9af1-bb58feaf0277", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810812Z", "creation_date": "2026-03-23T11:45:31.810814Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810820Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ceaa5af4b5d113dd319a7bc2d59c46853f39bc0ee0fe0b20e6a37c3afdfcd4a8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d7a133c1-5746-560e-b10f-2b16f5af3787", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816755Z", "creation_date": "2026-03-23T11:45:31.816758Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816767Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c346263e92ab248bcd19a18014ff5dbedeb19b8299e0bcec0fa74946dbee6c0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d7a4bfeb-d73b-567b-939c-5c0db09fa268", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827858Z", "creation_date": "2026-03-23T11:45:31.827860Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827865Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e2a5bc4aa25afc60dc545a9fa92bee958942741241503f943f2bf622e35db285", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d7b6d48c-3e12-55cb-b505-2cac0601ac73", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829132Z", "creation_date": "2026-03-23T11:45:30.829134Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829140Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7884466b94141efa307b792801b9481a90d3034b568184836fd81cd5ffa341c6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d7bd4c7d-d6dc-5075-a97f-eb788ae400e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140474Z", "creation_date": "2026-03-23T11:45:31.140476Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140482Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5e901746bce330cc13800168090d211718636e36d6ce8ab77519fb5d21bee06d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d7cc47ee-a857-5fd0-8413-bceba21e3d99", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812205Z", "creation_date": "2026-03-23T11:45:31.812207Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812212Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6cdaefad0fedae063ce0cd212eaa2e2c7943156b997e36d1330e9901fb49176f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d7dc113b-0bd1-5702-a64a-d0a5704eafcb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985448Z", "creation_date": "2026-03-23T11:45:29.985450Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985456Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "52d5c35325ce701516f8b04380c9fbdb78ec6bcc13b444f758fdb03d545b0677", "comment": "Malicious BlackCat/ALPHV Ransomware Rootkit (aka dkrTK.sys) [https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d7e3c98d-ef4c-50d7-8548-c9f8269afc62", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825367Z", "creation_date": "2026-03-23T11:45:30.825371Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825378Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f22d6bfdd23fba86b06cd1081995b1c2766d819713a42a2bb15e14677e9f1314", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d7eca501-fe33-5a00-bede-90b0529723a5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621444Z", "creation_date": "2026-03-23T11:45:29.621446Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621451Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b6fd51e1f57a03006953e84fd56cc2821cc19e7c77c0474e1110aabaacaf03df", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d804a6f7-c3c1-5ca1-b745-adb155157b8c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618711Z", "creation_date": "2026-03-23T11:45:29.618713Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618719Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d4288c055c6d68b4a45df501877443e544b31c193f8559c8c7eac927ae738e8a", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d8134188-b101-53d9-a590-bde273178114", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156214Z", "creation_date": "2026-03-23T11:45:31.156216Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156221Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9e4f46529a54b66e135162a6efe28db3148158427a6ce9e39cb9f769011073bd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d820a63d-6d65-51c9-9605-98cd2dc2f661", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145809Z", "creation_date": "2026-03-23T11:45:32.145811Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145816Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "82d928c586159342837cb457f45619f49db38bb91631a82e4f1b373fb994cd73", "comment": "Malicious Kernel Driver (aka driver_82d928c5.sys) [https://www.loldrivers.io/drivers/af8ef3c0-8686-4112-992b-86587a4a9060/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d8265fae-9e46-5fda-adc5-24a8902cfba9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982307Z", "creation_date": "2026-03-23T11:45:29.982309Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982315Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "710639fd1eb76520e8733840ad78a81e09ce03930e4d3c47998e3162ae95f90e", "comment": "Vulnerable Kernel Driver (aka SSPORT.sys) [https://www.loldrivers.io/drivers/c854b612-0b9f-4fc3-a7b8-a93bed7a291e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d82de877-2da1-5cd5-80d9-b7179c3d58a7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816137Z", "creation_date": "2026-03-23T11:45:30.816139Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816144Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "42446592b42e34bf569a631265bcaf2a2192d424531a343a7680f52199b88462", "comment": "Vulnerable Kernel Driver (aka sysconp.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d8397a5d-15cd-525a-8c02-7a9dabc96cae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.478688Z", "creation_date": "2026-03-23T11:45:31.478691Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.478700Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e409afcc70f34df244e72837965371014212d6d705bbd650ee582f47b4189382", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d83c2b3d-1676-5e8b-8814-083672f23a09", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146349Z", "creation_date": "2026-03-23T11:45:31.146351Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146357Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f3c943f4f9924224f8b61f37d79c3a651c1dfeb1527a65e5798a9ae980293b2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d8408a07-9abf-59b0-bd5b-e8c5c24aa325", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156256Z", "creation_date": "2026-03-23T11:45:31.156259Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156264Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0036359ae6b581abc80fcbecd4169210907cbee598819ae3ad08f7f09af19b32", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d84a612e-e27c-5c3a-a86b-711a780d8113", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610458Z", "creation_date": "2026-03-23T11:45:29.610460Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610465Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "592f56b13e7dcaa285da64a0b9a48be7562bd9b0a190208b7c8b7d8de427cf6c", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d84be08c-447a-57cc-a781-570026175ad0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619784Z", "creation_date": "2026-03-23T11:45:29.619786Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619791Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5147b0f2ca9d0bde1f9fceb382c05f7fa9c333709d7bf081d6c00a4132d914af", "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d8611dc8-4ea4-549e-90ae-aa66eaf76def", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609465Z", "creation_date": "2026-03-23T11:45:29.609467Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609472Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "12ae98c0f1d7209cffe3bc8be5b76aa1f4faba40af99a6dd299462cdd3820c94", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d895b4ba-43ce-5f56-8790-240e8c08db5e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141838Z", "creation_date": "2026-03-23T11:45:31.141840Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141845Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b06f8434efce1f2d72315e10ef48bc8a51bfdb4c69a016031a308369d5dd5c70", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d8ae4c08-9bc3-55a2-b3aa-601508a855e6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975096Z", "creation_date": "2026-03-23T11:45:29.975098Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975103Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d8b128d4-8cbb-52c7-8a01-fd61c7a7033a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831055Z", "creation_date": "2026-03-23T11:45:30.831057Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831063Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "93a14d935109917becd87acd891f5ae78a338adf7cec549868fafbc196ea642a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d8b796fa-60c4-5daa-b43d-175b8463ae9e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495237Z", "creation_date": "2026-03-23T11:45:31.495240Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495247Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "05888befb804daaf7f67e4cf96c366469b49aee0ca3bf4956295d13db533bfa8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d8b96539-af8a-5cdb-b242-bbba819f7232", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479944Z", "creation_date": "2026-03-23T11:45:31.479956Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479965Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9f6c870efde4f827da6bb59eb88004eab884f743049eea246cfe18b36585f675", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d8ba2ba1-0832-5d47-b025-69a310dd8a2e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606174Z", "creation_date": "2026-03-23T11:45:29.606176Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606181Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "86721ee8161096348ed3dbe1ccbf933ae004c315b1691745a8af4a0df9fed675", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d8d38a5f-d117-50e0-9fe4-d06c9bebfe8a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980430Z", "creation_date": "2026-03-23T11:45:29.980432Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980437Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0c925468c3376458d0e1ec65e097bd1a81a03901035c0195e8f6ef904ef3f901", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d8dfcaf3-26a0-5fe2-b99b-3bfdacfa07a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140456Z", "creation_date": "2026-03-23T11:45:31.140458Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140464Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "30dd053068d60984939e7af6a11d9d0ee2183ba92c7d389f6b2dc71cebc19e22", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d8e44420-94f9-5b81-ac89-e9f596a6d793", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816317Z", "creation_date": "2026-03-23T11:45:31.816320Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816328Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "642478e28630c0f0d02526643315ac855bfb93ac347d8624883f92b6ec51623d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d8fd6855-788c-5997-ac51-3578201c6a96", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605909Z", "creation_date": "2026-03-23T11:45:29.605911Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605917Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c88b23dc0bdeeb244c125825865a7a8d9ef04ba4d62ecdd032c77dc6b6733ead", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d9091cca-e0fc-555a-a5e3-0c6675b042fa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481523Z", "creation_date": "2026-03-23T11:45:30.481527Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481536Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0d133ced666c798ea63b6d8026ec507d429e834daa7c74e4e091e462e5815180", "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d9312b7e-aa4e-5cdb-ad4f-d4a43a58571a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826225Z", "creation_date": "2026-03-23T11:45:30.826228Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826233Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5652485eaad1e1a7256ce6e1c36f82ed449fc195cb892142705a783ba5a307eb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d942b78d-b406-5159-89b1-f2034af0b065", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616415Z", "creation_date": "2026-03-23T11:45:29.616417Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616423Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b95b2d9b29bd25659f1c7ba5a187f8d23cde01162d9b5b1a2c4aea8f64b38441", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d945a062-6caa-5d1d-b45d-e7fc2ade1d7c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494382Z", "creation_date": "2026-03-23T11:45:31.494385Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494394Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bb2ce27cd66ef89d1de4b9499425006efdd0e254b8ff5cc3c5c396d0e07f3a04", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d946f879-9e3b-594c-9298-50cf1aa53361", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812926Z", "creation_date": "2026-03-23T11:45:31.812928Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812933Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "053d2510fbed9c2a60e5a2f25de9bdc2e1b01a363d83fa02c9aeb6571f660575", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d95d6a86-6087-59c4-94ae-0e84cb553a45", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827089Z", "creation_date": "2026-03-23T11:45:30.827091Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827097Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e08d61ef600c05c47a5645d2234d19bce845071837af412be7b1176452e9678a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d963b275-14db-55a4-a648-81d5c4c6065c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978405Z", "creation_date": "2026-03-23T11:45:29.978407Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978413Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "881bca6dc2dafe1ae18aeb59216af939a3ac37248c13ed42ad0e1048a3855461", "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/a7628504-9e35-4e42-91f7-0c0a512549f4/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d96a4fc1-b296-538e-82bc-03953659e08b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494248Z", "creation_date": "2026-03-23T11:45:31.494251Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494259Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c30705b05d89f543270f98a40358968e8c8f3f00003b9a9a6876b0e2377b8880", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d977723a-352f-59a8-8a43-867ba899b9b6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614023Z", "creation_date": "2026-03-23T11:45:29.614026Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614031Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab494aba56e9ea7b6055ac437f6b678e7239b0fda54bf28019480565a098a6e3", "comment": "Huawei vulnerable drivers (aka HwOs2Ec10x64.sys and HwOs2Ec7x64.sys) [CVE-2019-5241] [https://www.microsoft.com/security/blog/2019/03/25/from-alert-to-driver-vulnerability-microsoft-defender-atp-investigation-unearths-privilege-escalation-flaw/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d98b9fc4-3713-59b3-b95b-74cb80a82a5d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474681Z", "creation_date": "2026-03-23T11:45:31.474685Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474694Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bf101fd701c0fe0e982f0bb75a6f641448ec5dc2cb60c75169d808a9b10ba996", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d9917880-8e25-572d-b415-d3dec4afa848", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143835Z", "creation_date": "2026-03-23T11:45:32.143837Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143842Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "530d9223ec7e4123532a403abef96dfd1af5291eb49497392ff5d14d18fccfbb", "comment": "Vulnerable Kernel Driver (aka wnbios.sys) [https://www.loldrivers.io/drivers/baa168cd-eba2-42e4-95e9-47cb4b2f9094/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d9a0f481-bd96-53bb-86fe-96278579bfb2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482282Z", "creation_date": "2026-03-23T11:45:31.482286Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482296Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b3c04f73d74190d00a92d323a9aed827e662fee5c6bc512e9da29ec9761eb8d0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d9a90aae-c06d-5d04-83b0-cea0b47b1599", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484056Z", "creation_date": "2026-03-23T11:45:31.484060Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484069Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "10f63e7e207c0dee86afec7673dc2ddd83cbde7b6551f6981b30e0e5d3e66dec", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d9b15516-3ce4-5525-8299-addada173a52", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147752Z", "creation_date": "2026-03-23T11:45:31.147754Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147759Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6e11b2d91ca03bccba36b3e84267502fd37763f77c934dedac99074b314dd112", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d9b25515-41bf-5454-8c0c-3b8640236370", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144736Z", "creation_date": "2026-03-23T11:45:31.144738Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144743Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "34478417edc805ad6ba9c3962208a46c3174aaba0b7c6e304ed77af70ee5ae5f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d9b68f89-5359-560c-a16e-f6118ef9c6a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481676Z", "creation_date": "2026-03-23T11:45:30.481678Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481684Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ba6c0c9b64fa739158b5f4465d53e67e574e4b954c8e143cf4e299f5daa65b60", "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d9bfa9bf-80d9-5f82-a1a6-0147c127de56", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480562Z", "creation_date": "2026-03-23T11:45:30.480564Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480569Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0cf84400c09582ee2911a5b1582332c992d1cd29fcf811cb1dc00fcd61757db0", "comment": "Vulnerable Kernel Driver (aka PDFWKRNL.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d9e1984c-cab7-5536-adcd-7ba3f9271911", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607852Z", "creation_date": "2026-03-23T11:45:29.607853Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607859Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e2d8dd5dacc24051709f55a35184f5f99aef957a83bd358b0608b4479e1ec24f", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "d9eceb03-de44-5663-986c-25a5e05787f2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984226Z", "creation_date": "2026-03-23T11:45:29.984228Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984234Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6c9dc878d9605070921338d09c6dbecbe11dec50c03fc69a0462884a07c2c442", "comment": "Vulnerable Kernel Driver (aka AsrOmgDrv.sys) [https://www.loldrivers.io/drivers/3f39af20-802a-4909-a5de-7f6fe7aab350/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "da0e13ab-28c0-530c-a1b0-7ea3865f8f02", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826120Z", "creation_date": "2026-03-23T11:45:31.826122Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826127Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f6a3cda1283cdcbb4599eb0a3337838f61a70c1c0f34bc22c4b97d2c6a19a863", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "da157e58-904b-5296-bcc9-418f4efbcfd4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.139994Z", "creation_date": "2026-03-23T11:45:31.140011Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140031Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "35220d414d92ef023084dde1a8f12c1c2f645b2342a7d18848d48d630f283760", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "da42cb82-e009-5157-a5be-7abd6861476b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144193Z", "creation_date": "2026-03-23T11:45:31.144195Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144200Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "426e74e8d62706d5f063c87f4de38d2269db432080b43df8939c026ec9e055e4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "da45f9d6-b9f3-5de3-b4a9-231f9e6edca6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814981Z", "creation_date": "2026-03-23T11:45:31.814984Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814994Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8d3321a84669f27c4f53894496a1d57532032c99732a526422a4e641662b4d6e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "da4743f8-23c8-53df-a06e-2e1875f3c470", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829469Z", "creation_date": "2026-03-23T11:45:31.829471Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829477Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bd74124e2e524ad2ab52444ac56184a33fd5a3df185c7ae71b29b1c86a316c2d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "da4b9f77-9b6a-5482-b2f7-89794bfb3c68", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454710Z", "creation_date": "2026-03-23T11:45:30.454713Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454721Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "342cf884840fc2b48c96398f690a1801ed8ac1ea59305af9e3d070d13ef85601", "comment": "Vulnerable Kernel Driver (aka mhyprot2.sys) [https://www.loldrivers.io/drivers/57354c82-ff9c-4a54-8377-d195e4ff0a26/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "da4c3454-bc7d-53f6-9e11-87dbe8dc0453", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829330Z", "creation_date": "2026-03-23T11:45:31.829334Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829343Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f9f9d255e6405b4fa0ac9baf8776b3f0d9ab302ec7f78f12efdb4399c146983d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "da51fe4e-21e4-503f-8f87-5b7eec767fb4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604503Z", "creation_date": "2026-03-23T11:45:29.604505Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604510Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea80d2e65b03ea918f918d60cc8397aa4ee11eeb7bf679c7813311ff32ed5c81", "comment": "Vulnerable Kernel Driver (aka STProcessMonitor.sys) [https://github.com/ANYLNK/STProcessMonitorBYOVD/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "da5817a5-e459-54f0-b3c7-720c6d4d80ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489477Z", "creation_date": "2026-03-23T11:45:31.489480Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489487Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7cb2fa8795007c4d8c2079d40ee1b9006ad708bd08492b37b3bbae486d7ab7e4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "da58922d-e475-5a29-b7ff-d001ac8dfac8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827238Z", "creation_date": "2026-03-23T11:45:31.827241Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827250Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "44fb4cef87bb15c279ec223d2c378de4aea56bbd8277f2f8b3cfec7586c84f4e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "da592dab-86f7-566d-9802-0c4de699aa56", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980681Z", "creation_date": "2026-03-23T11:45:29.980683Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980689Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fec1c641c7151e931aeb0d1ac59a97d6d3b486c482c1df8794e6424e75e6da1a", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "da657a56-8e84-50d7-b106-28e81106d396", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829604Z", "creation_date": "2026-03-23T11:45:30.829607Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829616Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9699b885bfce9a6fc0b48484adddd58df1a5ed8161adae1ed58dca1c20c2ea40", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "da6b46b5-9843-51de-9971-2c81730ca5b9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817215Z", "creation_date": "2026-03-23T11:45:30.817217Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817222Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "33d7046a5d41f4010ad5df632577154ed223dac2ab0ca2da57dbf1724db45a57", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "da6bd2d0-af9b-5f53-b2bc-5f7d9f50829b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157353Z", "creation_date": "2026-03-23T11:45:31.157355Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157361Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e926e55b953059fa579205ab3f550ef4e6a3f811f8f22cc31e3f6fcabbb7e6ed", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "da761c25-3c8b-5809-a823-955365e3f345", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608299Z", "creation_date": "2026-03-23T11:45:29.608301Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608307Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bd1f381e5a3db22e88776b7873d4d2835e9a1ec620571d2b1da0c58f81c84a56", "comment": "Malicious Kernel Driver (aka hlpdrv.sys) [https://news.sophos.com/en-us/2025/12/06/inside-shanya-a-packer-as-a-service-fueling-modern-attacks/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "da811f79-1969-5bb5-8709-6654fadfeafd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819725Z", "creation_date": "2026-03-23T11:45:30.819727Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819733Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9bfd24947052bfe9f2979113a7941e40bd7e3a82eaa081a32ad4064159f07c91", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "da8af7b7-67b7-5af7-95ce-0d4299fc5b0f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829376Z", "creation_date": "2026-03-23T11:45:30.829378Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829384Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "28a7b5e4850c742cda67a352f4bf078ca9edcb2fbeb1475b3bca565385880219", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "da9de128-f8df-5504-8f20-6632376dc6e4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970511Z", "creation_date": "2026-03-23T11:45:29.970513Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970519Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "443c0ba980d4db9213b654a45248fd855855c1cc81d18812cae9d16729ff9a85", "comment": "Mimikatz kernel driver (aka mimidrv.sys) [https://github.com/gentilkiwi/mimikatz] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dae00cbc-5630-5df5-98b4-b5258e70c9b8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824243Z", "creation_date": "2026-03-23T11:45:31.824246Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824255Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b150744e6f91a6bfba549ebcc0dd1bf3a8cd16c841abd954a876bbdf811d1fa2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "daf855a8-b5a1-5b75-9175-b820d81083eb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465284Z", "creation_date": "2026-03-23T11:45:30.465287Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465296Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cf9451c9ccc5509b9912965f79c2b95eb89d805b2a186d7521d3a262cf5a7a37", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "db04da39-2716-51d6-a9f8-9b43c20406fe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823309Z", "creation_date": "2026-03-23T11:45:31.823312Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823320Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c1363c4a199d2d078869aaaa0adeb581331ee6ad53112cb375a71bbf714f94ad", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "db063f08-4220-52dc-9b0d-0d3c5a403e15", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160703Z", "creation_date": "2026-03-23T11:45:31.160705Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160710Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8894089454a522b94ff6a733e457c27491e3d40c9db7769328de5626cdcf7dcb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "db09681a-7ad8-5b49-bc4a-542a626e8fcb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616364Z", "creation_date": "2026-03-23T11:45:29.616366Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616371Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6c64688444d3e004da77dcfb769d064bb38afceeef7ff915dfc71e60e19ff18a", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "db25a70b-abee-530c-9e92-ce3153d53c10", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613407Z", "creation_date": "2026-03-23T11:45:29.613409Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613414Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3943a796cc7c5352aa57ccf544295bfd6fb69aae147bc8235a00202dc6ed6838", "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "db29906a-b69a-5007-b76d-73343a5314c8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144856Z", "creation_date": "2026-03-23T11:45:32.144858Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144864Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0058db5dab98d570d418af5c2ea15333bec7723b5819ab4f433d7e7760fae8ed", "comment": "Malicious Kernel Driver (aka driver_146b8f4f.sys) [https://www.loldrivers.io/drivers/cea8bd08-a3c5-4ae1-a568-387b909ada67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "db29ff68-dc29-56f4-a828-cb095a99f204", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818322Z", "creation_date": "2026-03-23T11:45:31.818326Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818335Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "df378b30c98cd531929f6db91bb19fd96e5588f9a01b7a969d3d02529d4444db", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "db3fbb4d-d679-5188-bd0c-34ced063dae6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833425Z", "creation_date": "2026-03-23T11:45:30.833428Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833437Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9bbc9d28ae529e9c24db1f081933a2dd41f90e9f66d991732dada38bef414963", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "db425a75-ac04-5374-8b48-988ece0d6c27", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477725Z", "creation_date": "2026-03-23T11:45:30.477729Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477738Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "197896f4764d0c9e146cf532bbc531f93e6d61dbf28d25e3e96e2ba48d2b6c6a", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "db59834a-5854-5e2f-ba8d-66bc2af475b1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.815650Z", "creation_date": "2026-03-23T11:45:30.815652Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.815658Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ba386547523c5779e47c59ccb1b853918386cd398f054ac767a3a5b333e3fad3", "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "db637111-070a-5c7e-9148-5ad22b902c0a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488534Z", "creation_date": "2026-03-23T11:45:31.488536Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488542Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "037a683b360372f57179f20da624e58c006607bd83e2292b8541a9b8483fa546", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "db646702-3a12-5b70-b951-ab785f2d65a7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821370Z", "creation_date": "2026-03-23T11:45:31.821373Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821381Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c31503f95a59bffd5804dae77a83a5cf469829ec3ff7434bc24a8ad7bd86df35", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "db6b8d45-5507-5510-942e-83672fd02eeb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458193Z", "creation_date": "2026-03-23T11:45:30.458196Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458205Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e4cf438838dc10b188b3d4a318fd9ba2479abb078458d7f97591c723e2d637ce", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "db738645-0f73-5f35-9d8a-da181b514da7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491867Z", "creation_date": "2026-03-23T11:45:31.491886Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491892Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "058d6312910220df60ca41846c1960214e72527bff6ac38fd3c0004ff142e99d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "db74607c-7bab-52be-a25d-ac1feb72e807", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606404Z", "creation_date": "2026-03-23T11:45:29.606405Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606411Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a6e758caceb7e3f548d5038541fcbadce73aec8212b7b8116c8c4ce1168486ec", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "db74976a-ab9e-53c7-b80c-780bfc2ad02d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140618Z", "creation_date": "2026-03-23T11:45:31.140620Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140626Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a19776f8a166c203029f85a111c0fc270f6f1265626cc55ca85bef69061143e6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "db7b3483-547d-5417-86d9-30d67d0842f7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817178Z", "creation_date": "2026-03-23T11:45:30.817181Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817186Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ace6dded819e87f3686af2006cb415ed75554881a28c54de606975c41975112", "comment": "Vulnerable Kernel Driver (aka AODDriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "db821369-2e81-5909-a5bc-ce14b30d45d9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825422Z", "creation_date": "2026-03-23T11:45:30.825426Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825435Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "81aac371b0fb635ed36b7c83c5ce52ef3587f92bfc2b98d6641fa2efae2fe782", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "db931d4b-3d06-51ec-87d3-2c08eed5b947", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618040Z", "creation_date": "2026-03-23T11:45:29.618042Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618048Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4710acca9c4a61e2fc6daafb09d72e11b603ef8cd732e12a84274ea9ad6d43be", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "db95c4c6-9a4e-5fe3-b08b-580bbf1f0f51", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608369Z", "creation_date": "2026-03-23T11:45:29.608371Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608376Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b24bd295ebe05f54c8efc353be1ac6cf2c07cf4036ef0756e8296129a8e7a63a", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "db9d1dba-5bf3-582c-8681-38c79f2131b0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836541Z", "creation_date": "2026-03-23T11:45:30.836543Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836549Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0da33f5906af0bdfe630561ee62ae7a6d882f5a9811ba2638fa84adeadfb7160", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dba433f4-ce45-56f8-92c1-cdc06ee05ecd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493791Z", "creation_date": "2026-03-23T11:45:31.493795Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493804Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fbebacae253be6dea626ad354061b14a2da0d3c4ef6c9f31b29c7a0128f863ce", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dba785c4-eb61-5d4c-b720-70adb6cac2bb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978049Z", "creation_date": "2026-03-23T11:45:29.978051Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978056Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae79e760c739d6214c1e314728a78a6cb6060cce206fde2440a69735d639a0a2", "comment": "Vulnerable Kernel Driver (aka ni.sys) [https://www.loldrivers.io/drivers/4f93e19c-4600-4e2e-943f-a986875fd7d2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dbb4e149-6270-5906-b001-ae376909d137", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475358Z", "creation_date": "2026-03-23T11:45:30.475362Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475370Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3fb37ecca8742677bd94ef6f6fb195b4baac701525c2140773a6475fa3aa633c", "comment": "Malicious Kernel Driver (aka ef0e1725aaf0c6c972593f860531a2ea.sys) [https://www.loldrivers.io/drivers/8c2df58f-1e02-4911-ad40-3fa4ed1f4333/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dbbd8cca-b1c7-598d-9f84-186ce5806b07", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979203Z", "creation_date": "2026-03-23T11:45:29.979205Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979211Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6a6db5febdaf3f1577bf97c6e1e24913e6c78b134062c02fd1f9875099c03a3f", "comment": "Vulnerable Kernel Driver (aka nt2.sys) [https://www.loldrivers.io/drivers/cacc48e6-6ed8-431c-abee-88ee6c2dc3c1/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dbc0d456-803a-59c2-8e8e-cbc15f4b6267", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484330Z", "creation_date": "2026-03-23T11:45:31.484333Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484342Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "86e323a7bfb49e25d7b87b9371bae05b55eee961f7601057bd4f3678334b4bb5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dbc1d65a-8a81-5995-8594-4009c1ae2d90", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620177Z", "creation_date": "2026-03-23T11:45:29.620179Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620184Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "45abdbcd4c0916b7d9faaf1cd08543a3a5178871074628e0126a6eda890d26e0", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dbc37f56-f37f-59cb-950a-e7abdfdec53f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146204Z", "creation_date": "2026-03-23T11:45:31.146206Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146211Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "175bfda05e5038f18daf8df0ace486fcad16d6e6412499e71db6e822ab2ea785", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dbc8516f-5048-5b3e-b974-b39568bf298c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.478379Z", "creation_date": "2026-03-23T11:45:31.478400Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.478433Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c0cd6340e6726716c7f1c000e7b63fd8bca7e74102eb91edddcb4428bc1dd55b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dbd92e0f-8455-5320-a172-9c5fb1ba5840", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150772Z", "creation_date": "2026-03-23T11:45:31.150774Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150780Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "698a74f3c3261d42ba900e1cb213036ec41164faffc39bc9de996243d86f0c33", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dbe6cea0-9b79-59e0-9603-9697a7af59e7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614839Z", "creation_date": "2026-03-23T11:45:29.614841Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614846Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b7a20b5f15e1871b392782c46ebcc897929443d82073ee4dcb3874b6a5976b5d", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dbf1ebe6-8ea0-579c-abd4-8871b12abe54", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977442Z", "creation_date": "2026-03-23T11:45:29.977445Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977454Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4a9093e8dbcb867e1b97a0a67ce99a8511900658f5201c34ffb8035881f2dbbe", "comment": "Vulnerable Kernel Driver (aka ProtectS.sys) [https://www.loldrivers.io/drivers/99668140-a8f6-48f8-86d1-cf3bf693600c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dbf2ab8a-aaf1-5151-8abc-ec5f2f6b6039", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608742Z", "creation_date": "2026-03-23T11:45:29.608744Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608749Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cfad0d75d218ce160f7b7932e39ec4387d2245c3d72eb9d7cfbaa5198aa8cee3", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dc08399e-6e47-53de-8329-8afd6fe89621", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.813297Z", "creation_date": "2026-03-23T11:45:31.813300Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.813308Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f749a9da70a5b74835bde3210e7388ab8a569dcd73b8d2377569348cd592f8d9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dc2b05a5-453d-5be7-a332-f8f54b5ce3ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829359Z", "creation_date": "2026-03-23T11:45:31.829362Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829371Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "89fbb4aff9cb0636ff3b732dcc7ce7972337b649212214c72d1172574e30c23e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dc2d5b44-3608-5aec-b5f0-7d30ade9837c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824276Z", "creation_date": "2026-03-23T11:45:30.824278Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824284Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "db0c85649cbf52afdb65c3d5c69357eb24c202ca1de35dc3dad7d75690823a5f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dc3d9437-4ffd-5383-8ff2-c194a175377b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476404Z", "creation_date": "2026-03-23T11:45:31.476408Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476418Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bc5fa01c9a3885cbc0e6f4a798f487fbe77aa6c83770c0558f7f72fea7e46b35", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dc41c0c0-67a2-58ad-b54c-1b59f92c3398", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821962Z", "creation_date": "2026-03-23T11:45:30.821964Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821970Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "db58973c75b7cb94ffb31ad46fddf2f16f19075a99a69a7de20f8c0e42d96ba0", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dc427c68-8bd9-5d1f-8d4c-6bf8558bf02d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827980Z", "creation_date": "2026-03-23T11:45:31.827983Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827988Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4a996a4b5d494f02a2e70a3cffe28f4ee9d5de7cf48f5363b662163165f4d31e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dc541a5e-a9e1-5f0d-8133-37ea1b045d26", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618907Z", "creation_date": "2026-03-23T11:45:29.618909Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618915Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c349c8036b5ee61e7b0831943697ba98bfe70a52bac0a06b497c229b0c0fff27", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dc607bc5-ba62-5e5f-ba19-7d16421e9ee3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453519Z", "creation_date": "2026-03-23T11:45:30.453523Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453532Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "75f1bea34e2bb1d26cf173eba44daeb9bbee8106d43b911a01f73f76be17a165", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dc612226-d7f3-5d7c-b364-f94b6571a046", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157136Z", "creation_date": "2026-03-23T11:45:31.157138Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157143Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae9800e70d6d3511f5e93204310d8d895827d81df2f27f0d662e7ac11bd47527", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dc706fe6-290e-564b-bdfe-5ca26b21bb54", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827362Z", "creation_date": "2026-03-23T11:45:30.827364Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827370Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bd2560bd492ed88f4822a7ce4cd8e4f47f2727895964edcd0f7fe5a419910cb3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dc71c3d9-04ba-5176-8338-01946c39af90", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970140Z", "creation_date": "2026-03-23T11:45:29.970142Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970147Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "11f0f2395b3e7a9849bf3f050bfda6b48ae2de856d8541a16b51d9097afb8306", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dc781622-d418-5abf-b731-3ff4bc61b109", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.496055Z", "creation_date": "2026-03-23T11:45:31.496057Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.496063Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "49e6c9a0b3d0e5c6141cdeb33c767d05eccc063e742bc49759ab1f36b04064af", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dc78bd8b-1b82-5f69-834b-5eba7ba9e08f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462584Z", "creation_date": "2026-03-23T11:45:30.462587Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462596Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dcd026fd2ff8d517e2779d67b3d2d5f9a7aa39f19c66fa8ff2cab66d5c6461c6", "comment": "Vulnerable Kernel Driver (aka yyprotect64.sys) [https://www.loldrivers.io/drivers/12ccd18a-11da-495a-b4b4-98a2f2bff180/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dc8e3dc7-a375-5e8c-89d4-5c34bc2380ad", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816240Z", "creation_date": "2026-03-23T11:45:31.816243Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816250Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "97b180382d816c8f3f507d946a7f519f5d319e9de97a8ce56f4a447e9ab2ef54", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dc994e02-e98f-5d16-b93c-9146b6491e46", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.142747Z", "creation_date": "2026-03-23T11:45:32.142749Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.142755Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0fe75edf9d4bdceb2dd9e4919a3b10f9d3305065862288cad09beb4f385f5410", "comment": "Vulnerable IKARUS anti.virus Driver (aka ntguard.sys and ntguard_x64.sys) [https://www.greyhathacker.net/?p=995, https://www.exploit-db.com/exploits/43139] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dc9ea2c4-7bdd-589f-a1c4-c3a77d053de4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475674Z", "creation_date": "2026-03-23T11:45:30.475678Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475686Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e219276a4068b1eea5ce08f83a322845dce4eca89e05c71a0c2417065ce48813", "comment": "Vulnerable Kernel Driver (aka directio64.sys) [https://www.loldrivers.io/drivers/a254e684-f6eb-40c4-a50a-7b76feb6cc02/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dcad2987-98ae-5a0a-8118-9d1c45a3190b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821076Z", "creation_date": "2026-03-23T11:45:31.821078Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821086Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7bc0a85db87d08a0dda93cbece19ce70935bac4a44452bb1c3658657d1204755", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dcaef3cf-2013-56bd-b328-535dc5180f8c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973518Z", "creation_date": "2026-03-23T11:45:29.973520Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973525Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2afdb3278a7b57466a103024aef9ff7f41c73a19bab843a8ebf3d3c4d4e82b30", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dcb19b73-9469-5fa5-8b16-18a8950388e6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982886Z", "creation_date": "2026-03-23T11:45:29.982888Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982894Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "786f0ba14567a7e19192645ad4e40bee6df259abf2fbdfda35b6a38f8493d6cc", "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dcb50a31-e2bb-5a8d-b3e1-ad1361176008", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155889Z", "creation_date": "2026-03-23T11:45:31.155891Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155896Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ed4f8a397efd1c69890accc39c3b17d9914add78e8ed14f7225252834d9ee434", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dcd39f18-6233-5d23-bee1-2d34a63cd44f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493542Z", "creation_date": "2026-03-23T11:45:31.493545Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493554Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2c28d0a74e1d185b36de46a4aa356d13900f3549efc0c930c0cbe91fac8a990d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dcd5b66d-7f03-58c4-91a3-4a9b8ff4cdc9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157334Z", "creation_date": "2026-03-23T11:45:31.157336Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157342Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "edd412e4406e2b863c48c4aca4192a63f4a9617f93eccea8c82c735629a2f38b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dce66a4f-9eef-5b97-a470-95bf7bb1f25a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831254Z", "creation_date": "2026-03-23T11:45:30.831256Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831262Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "da00248fe367e7d220824c27f2bd02e2bb3ea467fd76d3cdfee8f62e5d83cbcb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dce88221-6fca-567c-b0ee-4ebed5fd8d88", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477773Z", "creation_date": "2026-03-23T11:45:31.477777Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477786Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7666194867593ceaf7a3349f0edf794c46b58a2b15cb957ddd00c526acde7c6e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dcf7fb18-4540-5118-b212-12056498abf4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.142790Z", "creation_date": "2026-03-23T11:45:32.142792Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.142798Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "592979e894d4c0af645e0bd70d23333facbb7c5b7e35e9b19a9acd564aa97c09", "comment": "Vulnerable VirIT Agent System Driver (aka viragt64.sys) [https://www.trendmicro.com/en_no/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dd13aa27-0a09-557f-8e2e-9d7814869057", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823519Z", "creation_date": "2026-03-23T11:45:30.823521Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823527Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9dada726191185a41663f42cee4cb63eca0cf6ec6204fec8851c1dce940e217b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dd1e3335-5f2c-59e4-8afc-68d5d62793ea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463756Z", "creation_date": "2026-03-23T11:45:30.463760Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463768Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "10ad50fcb360dcab8539ea322aaf2270565dc835b7535790937348523d723d6b", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dd27cfac-bf08-50cf-9c50-fe0889c21411", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810611Z", "creation_date": "2026-03-23T11:45:31.810613Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810618Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "85ad9817ec0f48919fd21bcc911888b06f289c6ccdf28566c3cfcbd1c66c526c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dd30c565-5ede-54b1-900a-f91e6bc8d323", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812813Z", "creation_date": "2026-03-23T11:45:31.812816Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812825Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e3b00d5e6e0e37ecb2498274d84feba9fe87376241112e6605a397b2f8852f98", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dd3dcbf6-25e1-5fb0-84dc-cdfa4b7a71a5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823155Z", "creation_date": "2026-03-23T11:45:31.823158Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823165Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f8f09a7c1c7fac1ed11ce285ab6b8e1635b645ca7dfffd4cd165cbe36d99e80b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dd519426-73e9-5f9a-a14f-ac15681728ad", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141201Z", "creation_date": "2026-03-23T11:45:31.141203Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141209Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "04b9dc21b67e08fa55fb644e7758cbef7e2dcf81c065bb70fe122c79e80b5c51", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dd5f9a2b-69b1-59a5-b0b1-2fe89c52cd1f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969058Z", "creation_date": "2026-03-23T11:45:29.969060Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969066Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e4522e2cfa0b1f5d258a3cf85b87681d6969e0572f668024c465d635c236b5d9", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dd6f857b-a102-502d-bee4-1655f980d644", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812152Z", "creation_date": "2026-03-23T11:45:31.812154Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812159Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab1d2a46a4ebb992992bdf59226829ac72cfcf81fc0a3c15791a397bc4737673", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dd76943a-1a27-5c00-957c-b61c1cab493e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476757Z", "creation_date": "2026-03-23T11:45:31.476761Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476771Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2cd25da2ba833aa1a88d73135650434c2a6d684cf2db1261fce38aaabf54046e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dd772af7-970b-55b5-bf86-30b5b908b8e9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980820Z", "creation_date": "2026-03-23T11:45:29.980822Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980827Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e0aff24a54400fe9f86564b8ce9f874e7ff51e96085ff950baff05844cff2bd1", "comment": "Vulnerable Kernel Driver (aka IObitUnlocker.sys) [https://www.loldrivers.io/drivers/4bf4b425-10af-4cd4-88e6-beb4b947eb48/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dd799e87-5bc1-54bf-a6b8-e1ccf67afdc5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490489Z", "creation_date": "2026-03-23T11:45:31.490490Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490496Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7a3ea5b9a39bf55f900964a55dadae7e34fd9476d8346a4fa701f11760aefd6f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dd7b8f69-b439-5094-bd7c-7dc49f6343d8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455639Z", "creation_date": "2026-03-23T11:45:30.455642Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455652Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4e54e98df13110aac41f3207e400cce2a00df29ce18c32186e536c1de25a75ce", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dd7fc026-6aa9-5b52-adca-d9f5f0d4242c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605752Z", "creation_date": "2026-03-23T11:45:29.605754Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605760Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "89b9823ed974a5b71de8468324d45b7e9d6dc914f93615ba86c6209b25b3cbf7", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dd90d569-38de-57d8-b3f2-e1df84087617", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816246Z", "creation_date": "2026-03-23T11:45:30.816248Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816253Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "42b31b850894bf917372ff50fbe1aff3990331e8bd03840d75e29dcc1026c180", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dd9a9d8d-a442-558e-9616-b46094dc691a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157371Z", "creation_date": "2026-03-23T11:45:31.157373Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157379Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d6e25ba22219c44a53b18b1aeb82c6e4299efe61128763211c0c5e392bcd1a6f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ddacb281-a386-573a-ba6a-a98227ab8a93", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811026Z", "creation_date": "2026-03-23T11:45:31.811028Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811034Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "10dd106c43f4762a9ea463b7316640bf1c76fd77b682e4a79299ef1a9ddc0220", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ddae2fce-6488-56bd-9165-0eb0df7c3054", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610371Z", "creation_date": "2026-03-23T11:45:29.610373Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610378Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3e07bb866d329a2f9aaa4802bad04fdac9163de9bf9cfa1d035f5ca610b4b9bf", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ddc24181-ea17-51d2-9953-52dc2214cd67", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149300Z", "creation_date": "2026-03-23T11:45:31.149302Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149308Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e5eb94cd2ed5bda08d9ca17115dbf51fe65b96a96b35ee4686a04b8cf95d39e0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ddc906fa-63a2-5084-96a1-125979533406", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811833Z", "creation_date": "2026-03-23T11:45:31.811835Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811840Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c432e1dfcb412fd0b3683bcfe4a9f7b49465287203d1deb2b8789b6ead00c725", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ddca0933-796e-5b4e-bf30-49cc688ec497", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604410Z", "creation_date": "2026-03-23T11:45:29.604412Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604418Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0cf72a6d8c4add613209a1af41c6b09013fa688c9841210b5ff1d2908d99bf00", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ddccab46-a61f-5e74-89f6-850e825c2668", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143540Z", "creation_date": "2026-03-23T11:45:32.143542Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143548Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9dee9c925f7ea84f56d4a2ad4cf9a88c4dac27380887bf9ac73e7c8108066504", "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ddd10f07-09a7-5ac9-b1cb-3a0689569074", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968403Z", "creation_date": "2026-03-23T11:45:29.968405Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968410Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4e3eb5b9bce2fd9f6878ae36288211f0997f6149aa8c290ed91228ba4cdfae80", "comment": "Ours Technology Inc. Dangerous I/O Driver (aka otipcibus64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dddb3d19-bd67-5e95-9c2e-a7033aef5d4e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150985Z", "creation_date": "2026-03-23T11:45:31.150987Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150992Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b8b9625620939b828ff2a5ba06f1bbba20514a04facdf5195f77451ccaa12338", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ddf1f45d-3842-5afb-9b5f-1b1896485f83", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500655Z", "creation_date": "2026-03-23T11:45:31.500659Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500667Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "10b5c744cec261edf6fa5374662da30f95bd823f80797c4f018f5dfeb11faf8e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ddffc375-ccdc-5e38-b8fd-9898b1037f35", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144288Z", "creation_date": "2026-03-23T11:45:31.144290Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144295Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "41acac502ce4dc72091cf9a60425db333af0502eade520e532a4f8591fb6b5fc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "de0553e0-2340-5758-8b2b-1b81148d6499", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144215Z", "creation_date": "2026-03-23T11:45:31.144219Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144225Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "72cb472d69def47fd89564c3f895867006908443f805971875533069a6efaf32", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "de0943eb-deaf-5942-b021-772bedd0498b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829044Z", "creation_date": "2026-03-23T11:45:30.829046Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829051Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c74de5c5805e87c2c2b2aec77e3416c4ddd175514950a45a7276b0972241b426", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "de1681e7-21e2-5ab4-824b-ea93afa2e38d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.471864Z", "creation_date": "2026-03-23T11:45:31.471868Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.471907Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4644ddf941ea48f122487f2a434bb4f88984b49c540f52d5f9e775b2371e2a17", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "de265821-4b09-5cb3-bf26-0e6ba5f443a0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143504Z", "creation_date": "2026-03-23T11:45:32.143506Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143511Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b2247e68386c1bdfd48687105c3728ebbad672daffa91b57845b4e49693ffd71", "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "de281c7d-d469-54f6-b88c-d14760339c79", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494968Z", "creation_date": "2026-03-23T11:45:31.494970Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494975Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "58ab20e947ed3f42da8f9e9d0efeb2045ebe880207e20612139bd8cd777d579b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "de29eb6d-8d79-5078-8c72-7242928f7c85", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472403Z", "creation_date": "2026-03-23T11:45:30.472407Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472416Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c7f64b27cd3be5af1c8454680529ea493dfbb09e634eec7e316445ad73499ae0", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "de2b70f2-8a86-55fd-93a1-47daeaec9391", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491814Z", "creation_date": "2026-03-23T11:45:31.491816Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491821Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "72a39b2ab86f813db654400e4acafbde33f51c88e88a6ebd2ac3d6acbf159cd7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "de2d9731-a682-5e8e-902c-4c8cb1e5f0bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811134Z", "creation_date": "2026-03-23T11:45:31.811136Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811141Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "692c0ec8d824a93911e7bcf9b15ed43c497f5451b15adf9c1cfb62dc593582a2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "de378d05-3ebd-5bf8-9961-b42b3adbd567", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620815Z", "creation_date": "2026-03-23T11:45:29.620817Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620823Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "db90e554ad249c2bd888282ecf7d8da4d1538dd364129a3327b54f8242dd5653", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "de37e3e3-94b4-5551-b00b-e021d9ee5b6e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985666Z", "creation_date": "2026-03-23T11:45:29.985668Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985674Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f6c316e2385f2694d47e936b0ac4bc9b55e279d530dd5e805f0d963cb47c3c0d", "comment": "Malicious Kernel Driver related to WINTAPIX (aka WinTapix.sys and SRVNET2.SYS) [https://www.fortinet.com/blog/threat-research/wintapix-kernal-driver-middle-east-countries] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "de3b12bb-c5c8-54fe-b920-fa1b9ca90621", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150564Z", "creation_date": "2026-03-23T11:45:31.150566Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150571Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "54945c8914963302136ec48806e040f9a1872ba09bb05eafe8f45bc48a075456", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "de3e1f2b-97e2-560b-96f7-e47ed3377863", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141398Z", "creation_date": "2026-03-23T11:45:31.141400Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141405Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "91a25cacb4483da51c27ec91da3afdd72e2574ae319155cc902cce29940ecaca", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "de42e94b-82be-57d8-8a22-30faf2f01543", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810990Z", "creation_date": "2026-03-23T11:45:31.810993Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810998Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ceab4c5188d05433959cb3524c9963d006e250c16f4c7cd9c9af7bdd56c969e4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "de606bb0-6f3d-503b-ad46-b130bc5961ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487432Z", "creation_date": "2026-03-23T11:45:31.487434Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487440Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "61bacf21287d587d3a362e88a79af872aac0e8795f0d4730031e87b448aa2ac2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "de7c5027-fcde-59b1-8a05-3e64659254d3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976137Z", "creation_date": "2026-03-23T11:45:29.976139Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976145Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f05b1ee9e2f6ab704b8919d5071becbce6f9d0f9d0ba32a460c41d5272134abe", "comment": "Vulnerable Lenovo Diagnostics driver (aka LenovoDiagnosticsDriver.sys) [CVE-2022-3699] [https://github.com/alfarom256/CVE-2022-3699] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "de84eace-1153-584d-af0f-3e30c35d321c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152586Z", "creation_date": "2026-03-23T11:45:31.152587Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152593Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "49ca61e32736c4c3792a2e69b6b075fbc31e08612e178d77e8bb8fc75f098e71", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "de88b109-7c24-589e-af7d-2aced2b000ed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144596Z", "creation_date": "2026-03-23T11:45:32.144598Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144604Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "39171fcaff172d6b38762acef3d3352f9a375e3db7e54a7b51261a53b3c94266", "comment": "Vulnerable Kernel Driver (aka RtsUer.sys) [https://www.loldrivers.io/drivers/71d930a7-3465-4d27-90d4-2a1a08bebb92/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "de8c5c97-6c1a-5bc4-8279-99c8a6efdc1e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144819Z", "creation_date": "2026-03-23T11:45:32.144822Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144827Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c4020e95f8a69522e400d3b14bf1be4fec2e7db0597626fbd8f8c3c1e85bffa0", "comment": "Vulnerable Kernel Driver (aka ViveRRAudio.sys) [https://www.loldrivers.io/drivers/4cb95b41-43b4-4806-b536-ae5fd8c76b0e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "de8e3bd4-c117-5bfd-9b80-8ff7735e75dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143760Z", "creation_date": "2026-03-23T11:45:32.143762Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143768Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9923b3d6e508aa2086c66b36038b37206b0f8d26beaf87022290a2b574c2e047", "comment": "Vulnerable Kernel Driver (aka DcProtect.sys) [https://www.loldrivers.io/drivers/7cee2ce8-7881-4a9a-bb18-61587c95f4a2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "de96730d-2f81-5395-8491-7fc2e52cdabd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822580Z", "creation_date": "2026-03-23T11:45:31.822584Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822592Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e8aee9dc95134e49bb19bcf0925addda60372b99dc2ffde0dea68f3573672a98", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dea69269-2a2d-5162-baf5-53c07088537f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981820Z", "creation_date": "2026-03-23T11:45:29.981822Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981828Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4e3887f950bff034efedd40f1e949579854a24140128246fa6141f2c34de6017", "comment": "Vulnerable Kernel Driver (aka TestBone.sys) [https://www.loldrivers.io/drivers/be4843ef-a2a8-4a0d-91c6-42e165800bb0/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "deade94f-becd-592b-be1a-d471ad088f4e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140209Z", "creation_date": "2026-03-23T11:45:31.140211Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140218Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "82b4876716782349f4b7c6d1b0d7041e3e3b4c38d19a9579f1a7cfb11822840c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "deae422d-9300-5f6b-b962-ee24233201ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159535Z", "creation_date": "2026-03-23T11:45:31.159537Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159543Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "817aa0ff85446b1420c5608910004a7f379afc67890d36089d2ed7e1aa5757ce", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "deb09886-6c52-500e-a382-1f4c8256201d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967676Z", "creation_date": "2026-03-23T11:45:29.967678Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967683Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c283d02dfdae3e67fbfe7a70f1fc94dd164b0d2e6a905098acd697ff826b707d", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "deb87e89-a127-5b12-a3ee-199c88c45bae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456566Z", "creation_date": "2026-03-23T11:45:30.456569Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456578Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5ea5f339b2e40dea57378626790ca7e9a82777aacdada5bc61ebb7d82043fa07", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "debee8ea-934a-589b-b15f-afee6c9f9a6b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147553Z", "creation_date": "2026-03-23T11:45:31.147555Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147560Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cbef55713e8f6db9a0a7bcb71f1599ac663a947911ec1a87693ce6c26bc4cf90", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dec7590e-c033-5748-b5bd-f298b2593674", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146456Z", "creation_date": "2026-03-23T11:45:31.146458Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146464Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aea434cd31c278819342851c8769847a75376273bb214f2d19082e0a55e1ab14", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "decb5842-e730-577a-bc26-f2dd83b433a9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979743Z", "creation_date": "2026-03-23T11:45:29.979745Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979751Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "948735962436df24baa69e58421345d4a295e0821f4f93fd9f64e11f51a9666f", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ded0bd6b-5f87-57ce-8efd-578d6781bca1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491938Z", "creation_date": "2026-03-23T11:45:31.491940Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491946Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8a1b6c77ff2b68bbc492047d56234192f8a7ae7a69e92737e38db67a8e35ceb4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ded40bbc-1bc0-5abc-a8ab-d4870595901f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824097Z", "creation_date": "2026-03-23T11:45:30.824099Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824104Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "00d957e49a5b6c290c8d0f645b91d2688396c708464ae3da33b79d4ff964874b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dedff988-300f-56ee-a8c9-188aa9b544cd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486074Z", "creation_date": "2026-03-23T11:45:31.486077Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486087Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f082d6c315906e10e06d2da9ba3b15396935c74e68b26f34cc026121e540b7a9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dee09683-3d9f-53cf-b209-70207d8b7774", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817607Z", "creation_date": "2026-03-23T11:45:31.817610Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817618Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6b6157234e63a145e4cbdb4b3236ab3daf40814a723ba8cc83c1156cc70a6f0c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dee6556d-b7e7-5038-83b3-d472ba9ec229", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150651Z", "creation_date": "2026-03-23T11:45:31.150653Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150659Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "025664833087b5a79110ffeb655a9f3eedbcb1ef737959bdbd7c3f4ff9c15245", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "def2807f-9961-5726-97b6-58cd446f291c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972646Z", "creation_date": "2026-03-23T11:45:29.972648Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972653Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "485f3a67b826928c1f2d6ba7437b02d42c1b55a6511b521deb9a36aeb304ef98", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "def333ff-4b60-51b6-8bd6-5b0b3868d735", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159728Z", "creation_date": "2026-03-23T11:45:31.159730Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159740Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0eb7b71fe375b12475c29a427fe9b6cc1cb6608aa42b941e5df62a3db674473b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "def35c13-bb3a-5b8f-a1af-3b7edd6b53cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831458Z", "creation_date": "2026-03-23T11:45:30.831460Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831466Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e77d67300df62b68912b851a1570d1706f5ef7214f340dacc9b183593995337e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "defbb607-2629-550d-9a44-ec1bb262ab14", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474450Z", "creation_date": "2026-03-23T11:45:31.474454Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474464Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a9c34e35292bdbf1e112d13955a83548a9e6d0c907f8232a3caf2162cc20006b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "deff8520-d81a-5d94-b8d7-237c5936132a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474747Z", "creation_date": "2026-03-23T11:45:31.474751Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474761Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b72696370157b9ed2aa2cbed958b66836d4fc13099464cfc0e6758607961df19", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "df14440a-0095-5fce-9278-bb91178899be", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827455Z", "creation_date": "2026-03-23T11:45:31.827458Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827466Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8384f1b5b1e9dacbe78d329d5787f0ca8f10be035b796e9d19f7d81a9e3abacd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "df1c70b3-fa68-5d00-8a2a-9e32eb2bdde0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620675Z", "creation_date": "2026-03-23T11:45:29.620677Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620682Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "845f1e228de249fc1ddf8dc28c39d03e8ad328a6277b6502d3932e83b879a65a", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "df1c759c-8020-5f3e-b563-0f63270bd453", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486499Z", "creation_date": "2026-03-23T11:45:31.486502Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486509Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5bd0dc24102711f8c41cfa7299a2ab606224a8d52acf2a3cb9f7fc3d8102a8ff", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "df24868d-9e99-56ad-b279-4762de15c020", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967316Z", "creation_date": "2026-03-23T11:45:29.967319Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967327Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4a229ab274e364df92cc46ecbc9faab32f7b0955dab982658313f2faf9410863", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "df25a7b9-69a4-5e60-836f-f942c3d85338", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982050Z", "creation_date": "2026-03-23T11:45:29.982052Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982058Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea0b9eecf4ad5ec8c14aec13de7d661e7615018b1a3c65464bf5eca9bbf6ded3", "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/b03798af-d25a-400b-9236-4643a802846f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "df347e10-0d1a-5575-9b71-125ceafd1e96", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818548Z", "creation_date": "2026-03-23T11:45:31.818551Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818559Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aaadfbe909aaa736fcd05fc1c93653adf03f538f4a86a99c90aaabf00db193dc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "df373da0-6a43-5d5d-8ed6-9a81a506b462", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831937Z", "creation_date": "2026-03-23T11:45:30.831939Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831952Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "30c4bba32e37c9e23f2852a1f4ee2d932add867138b59a91ee0636d158d107c0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "df40da13-7216-542f-9129-8f5f25493d44", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476306Z", "creation_date": "2026-03-23T11:45:31.476310Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476320Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9ec7885c15536e216bf07925bd8251e034a91ccec52867bb306e7634f735aa48", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "df4302e7-87cd-5644-86db-58509df0c1b3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494140Z", "creation_date": "2026-03-23T11:45:31.494143Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494152Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b67eb9bd456204bab6446c08d31a86fd4bf02da67a52c12d99e9d5630b270c23", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "df57b911-233f-59be-95fd-074466828d63", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144652Z", "creation_date": "2026-03-23T11:45:32.144654Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144659Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "345ebed68c4e68aff5dd14c8df8524b69db4793845ca814bded608b246077792", "comment": "Malicious Kernel Driver (aka driver_099ef491.sys) [https://www.loldrivers.io/drivers/2ba1bccf-d8d7-464a-9ae1-41371c55e5e8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "df757311-db0d-5aa8-b32d-5fbc13ebd824", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827993Z", "creation_date": "2026-03-23T11:45:30.827996Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828001Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9a18654cf0bfa5223405493e42c4fca89a376ed06e6606d4339c951a5066c908", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "df770ca9-9ebe-505d-8ae1-2c0547490072", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834520Z", "creation_date": "2026-03-23T11:45:30.834524Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834533Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9e9c01d8717c3286edcd0fedc862570071be89947d2eb04eadd106a308a42709", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "df816063-520d-5938-abd2-83299c06d939", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472752Z", "creation_date": "2026-03-23T11:45:31.472756Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472765Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6e013f794babd59b9703ac2d199beb1d91a5c2908b30ba4ef60a6e4f12a5e8cd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "df850812-e935-54cf-9aa4-752a31d006e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462764Z", "creation_date": "2026-03-23T11:45:30.462767Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462776Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "af4f42197f5ce2d11993434725c81ecb6f54025110dedf56be8ffc0e775d9895", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dfa4b45d-a628-5a53-b344-c7628f177973", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494510Z", "creation_date": "2026-03-23T11:45:31.494512Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494518Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5406ab98add13a7d31161488cdf92e910caf97be72122167898a3d6115d73a4a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dfaffc60-7408-5454-ac5e-fa6f78673c1c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472752Z", "creation_date": "2026-03-23T11:45:30.472756Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472777Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b9695940f72e3ed5d7369fb32958e2146abd29d5895d91ccc22dfbcc9485b78b", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dfb4f748-09ee-5f59-bd03-a308c2c388ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473396Z", "creation_date": "2026-03-23T11:45:30.473399Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473408Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b01ebea651ec7780d0fe88dd1b6c2500a36dacf85e3a4038c2ca1c5cb44c7b5d", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dfb58b5d-6f99-53ad-8de0-eb76f2e54ae6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494745Z", "creation_date": "2026-03-23T11:45:31.494747Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494753Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9f05a2cf863c80be0a142bf81fd46e3d8964ff6fad8430cbac63469552179b14", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dfbf7a4f-6516-59f7-8992-09226ff8e35a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819865Z", "creation_date": "2026-03-23T11:45:31.819884Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819893Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fe490ce5dee1028d46673a2bafa96952a320b8f9fe988c8fefcf1a1fdcbbcd36", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dfc61591-6b9d-5ed1-82e1-20c522b5ba47", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981523Z", "creation_date": "2026-03-23T11:45:29.981526Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981531Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dbebf6d463c2dbf61836b3eba09b643e1d79a02652a32482ca58894703b9addb", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dfc82f78-9f9b-54af-8eaf-f02d52bcd90f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488708Z", "creation_date": "2026-03-23T11:45:31.488710Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488715Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7480a9e5a0339f755820432d7e14acfcd6f2d20012bbdd599f67d123b79c3fda", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dfca525e-287b-5827-b6cb-f83cada3cd32", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151705Z", "creation_date": "2026-03-23T11:45:31.151708Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151716Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ceb3473a819cb39ec750f1ce21c563b49b6df8d973644f758ca979cb96eb2e73", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dfcb957e-8f0e-58a2-ae7e-8bca3bc1518d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.986178Z", "creation_date": "2026-03-23T11:45:29.986180Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.986185Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3f20ac5dac9171857fc5791865458fdb6eac4fab837d7eabc42cb0a83cb522fc", "comment": "Vulnerable Kernel Driver (aka pchunter.sys) [https://www.loldrivers.io/drivers/73290fcb-a0d7-481e-81a5-65a9859b50f5/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dfd5e0c9-88da-588c-b360-f4e513e87f47", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465426Z", "creation_date": "2026-03-23T11:45:30.465429Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465438Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1d23ab46ad547e7eef409b40756aae9246fbdf545d13946f770643f19c715e80", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dfd8be6c-24f7-570b-8dbb-c48f19b17fa5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140838Z", "creation_date": "2026-03-23T11:45:31.140840Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140846Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b2503a559f90fd20870802a67b241d45e50c4f3be20b569a1c78bfe390ad1c4d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dfdaa7a4-b2d6-5fe6-b20e-b5ad61ab82b8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612735Z", "creation_date": "2026-03-23T11:45:29.612737Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612743Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "028aed97e90c5a231069a3fa0853c67ea5853c4bbfea6247c6f4b53509581d05", "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "dfdea1c0-e3ef-5240-a187-8db5ada278af", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832586Z", "creation_date": "2026-03-23T11:45:30.832588Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832594Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "825756750ca654e55536cc9ac53c9c090f943723e1dc88c5d8179f0001eab105", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e013bc0d-6b3d-5666-aecd-ad906f0a9f7b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969802Z", "creation_date": "2026-03-23T11:45:29.969804Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969809Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "968258fe6b307a7887465c7fb0a0b7b45f973b91deb8638af1428d247430d777", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e01990f0-d241-5db4-8cec-875462735a5b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810521Z", "creation_date": "2026-03-23T11:45:31.810524Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810529Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "09ed697c9fc0b66ddcb2839b6ba82088d5a9f7ce307ebab83524888606211d10", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e020bb92-1ebe-55bf-8d3b-31e1f949fcfd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142018Z", "creation_date": "2026-03-23T11:45:31.142020Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142025Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7d896a44696d3bc40219956db058238a269911a053eaf6eb4b43bf28efe1c07d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e022fcc0-e179-51c6-b7ee-2e31eaad95a6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477804Z", "creation_date": "2026-03-23T11:45:31.477808Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477861Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fbb597b01dd0323a6f59bf873635662802971080d9fb74b1d5dcfe86ad1d09a7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e02381bc-a11f-5e6a-939d-0389175edc40", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822936Z", "creation_date": "2026-03-23T11:45:30.822938Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822943Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6208a115fc72bc9014c7debb188c473c41f64e7ffeb3efbd31af6c48c0726702", "comment": "Vulnerable Kernel Driver (aka SBIOSIO64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e028b319-84c1-57ad-a8fe-9cac6e110c29", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493275Z", "creation_date": "2026-03-23T11:45:31.493277Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493283Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea1a63aa063f1cd46cccd934fb3a6b5c0cf7e37bc79ca53eb6d5a39eefcfcd6f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e037fa8e-345e-5606-b4b4-6d8fb0925e1a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486668Z", "creation_date": "2026-03-23T11:45:31.486671Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486679Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "12060b757db0d78a2c6603930b6b08e79a90937f5e7d81ea0086b86fb0155fb9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e03dafb0-5ec0-5688-950d-1252cd95a83c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160666Z", "creation_date": "2026-03-23T11:45:31.160668Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160674Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1b52289bc4c5ce08fa3d1ab31d0c74c86564a39415cd55178e859d79b8f16117", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e03db9f2-a2d3-5028-98d0-bcd97c55374b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822736Z", "creation_date": "2026-03-23T11:45:31.822739Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822746Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "42d9b12949e06581c571488e2ff0725cf8d871f7405cab958e43c1bc71867a12", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e040864e-2a64-5391-8d15-aec54a1385b1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500735Z", "creation_date": "2026-03-23T11:45:31.500738Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500746Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a54b5b088967e6f65f37cf67c88e67c96a95487024d57cf39993b356898e5c45", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e0468411-5a02-5b72-8e45-12f2ea534bde", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604129Z", "creation_date": "2026-03-23T11:45:29.604131Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604137Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c29e726448ad3e6452b5d186afb4668e6fcc942be512fe25ed72cfa1b73a6007", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e0505e7d-9e80-58f4-8cb0-ea6878de642b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622668Z", "creation_date": "2026-03-23T11:45:29.622670Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622676Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "94be67c319a67de75ebed050d5537cfaa795d72bba52f3d8cf349e7bd075410e", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e054a1e8-3565-5de2-aa8c-90effc3edca5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620981Z", "creation_date": "2026-03-23T11:45:29.620983Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620989Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b1d96233235a62dbb21b8dbe2d1ae333199669f67664b107bff1ad49b41d9414", "comment": "Phoenix Technologies Vulnerable Physmem drivers (aka Agent64.sys) [https://www.loldrivers.io/drivers/5943b267-64f3-40d4-8669-354f23dec122/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e0790e85-36bc-5afa-8d7a-8be260cfb549", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826138Z", "creation_date": "2026-03-23T11:45:31.826140Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826146Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "edf3fff43d2c3ec7530359d6042a4837238da206d2aa2381d698e3c10037381d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e07cc808-7faf-597c-bf8b-80fd01024b3e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155558Z", "creation_date": "2026-03-23T11:45:31.155560Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155565Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c4543a2cf342355f2b1ac4e79b126115076b6cb2ebbc62529782378cf2b42cc0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e090feec-2655-5af2-9ee6-30946610a2f8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476274Z", "creation_date": "2026-03-23T11:45:31.476278Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476288Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "24a915857be068a8463703543fff24c763654d7d4ce6be40c7326fa148f6256c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e0911209-0e96-5071-8a07-1d12cd50e46e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829061Z", "creation_date": "2026-03-23T11:45:30.829063Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829069Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "778214a28e54d8e912649dd155e1ecd6d726bb7e9b0838acfc31786cf9654529", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e09c6930-6c1b-57b2-ae10-d2f297e2c3a6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140547Z", "creation_date": "2026-03-23T11:45:31.140549Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140555Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1bba43e137244ad10af8166cfe65780d1d42428cd0caba37ce5902f72187a208", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e09d84c6-03a2-54ad-b4cc-765ab16a6e21", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475216Z", "creation_date": "2026-03-23T11:45:30.475219Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475228Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "648994905b29b9c4a1074eef332bf6932b638bad62df020b5452c74e2b15d78f", "comment": "Vulnerable Kernel Driver (aka semav6msr.sys) [https://www.loldrivers.io/drivers/142453a2-a24d-4b35-8922-6d5939f1c0fc/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e09e8f67-f283-5401-909b-698973374f55", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493171Z", "creation_date": "2026-03-23T11:45:31.493174Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493183Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "799a8563d1b6efbfe833116c8af3b619bdf658ddba39cff7c7bb35e3f430b76b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e0c45fe2-421a-503d-ba84-3f298ad5a79b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978353Z", "creation_date": "2026-03-23T11:45:29.978355Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978361Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1aaf4c1e3cb6774857e2eef27c17e68dc1ae577112e4769665f516c2e8c4e27b", "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/a7628504-9e35-4e42-91f7-0c0a512549f4/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e0c65e9c-03cf-590e-8e72-7d6bd8b2a89a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488134Z", "creation_date": "2026-03-23T11:45:31.488136Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488142Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3f631ad95bb296997a4d86cdcae9a5f4d2a05b47bdfab471b0905369bbbf4a32", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e0c6c1e7-7981-5c79-a6af-acb20f39b7d3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809315Z", "creation_date": "2026-03-23T11:45:31.809318Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809326Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f34be2c55f8a0102fedc6362afca94528c7ca5f52d5e260b64a5948b2723aad9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e0d679e1-613d-53ad-abf6-8530048afdd5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144718Z", "creation_date": "2026-03-23T11:45:31.144720Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144725Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3cd869794481f84f25229883550c0f02597f5ad1c44a3c5724ef0cddd236d4e1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e0e51d84-9daf-5b1a-969b-f709939b5a32", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493293Z", "creation_date": "2026-03-23T11:45:31.493295Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493301Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "de4d8898dc5f8aadfe91dcf6735867e1fd204e0877a9ea8b0ccfd5d85a1dac8c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e0ecb629-6364-5f83-bcb2-4d33f5bf794f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981782Z", "creation_date": "2026-03-23T11:45:29.981784Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981789Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "79e7165e626c7bde546cd1bea4b9ec206de8bed7821479856bdb0a2adc3e3617", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e0f005b5-4ef7-52d6-87b6-3b66572a1ae4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149771Z", "creation_date": "2026-03-23T11:45:31.149773Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149779Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "92f884e715a70dd25c030410f9b03b17ad8aacabc524fa081979abffbd00d744", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e0f4d53b-da5a-5a82-8c15-a2dabae7788a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146026Z", "creation_date": "2026-03-23T11:45:32.146029Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146034Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e055fdfb914e3da936eb7745acb665f50346df9abac597cf43d487262a6a12d5", "comment": "Malicious Kernel Driver (aka kavservice.bin) [https://www.loldrivers.io/drivers/77157886-00f9-4f6e-b217-d896813b630f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e1027d6a-d5e2-5b56-ae59-586d13148821", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615451Z", "creation_date": "2026-03-23T11:45:29.615453Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615459Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fa861c61102cbcaa1e5f6020deaa066c4fcdfaee3ded1ee156ab81d59ad54f9a", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e10de787-42a8-5045-9d48-f1f478df1b75", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605395Z", "creation_date": "2026-03-23T11:45:29.605397Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605402Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc", "comment": "Backstab Process Explorer driver (aka PROCEXP.SYS) [https://github.com/Yaxser/Backstab/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e10ff572-a15d-5cef-9a2e-3bea9f95590e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473912Z", "creation_date": "2026-03-23T11:45:30.473915Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473924Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6b56978dd0fc606668c0ed2698b3b22ef53dc6e4a676a4c5479438425d4e60a9", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e13e6e5d-d62a-562d-a1a5-c66500741f20", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455136Z", "creation_date": "2026-03-23T11:45:30.455140Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455148Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0123c7f12dd7530d55aee49949ff1fee911c9689bd04591684aa641882589785", "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e141ddae-7102-5721-bfa7-e36f20989306", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498063Z", "creation_date": "2026-03-23T11:45:31.498067Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498076Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "148653ffa53559fdb98c87a1f562487ad6632d33fc76d57f696a5eba9cf5e9ef", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e14ec1cc-7658-5824-b7fe-4a3aee46c8d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146502Z", "creation_date": "2026-03-23T11:45:32.146505Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146514Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "25819a8c8f2ebceef661d751a56a024a5584f8283d9600273e52d18923c9f455", "comment": "Malicious Kernel Driver (aka f.sys) [https://www.loldrivers.io/drivers/17a1ad58-ecf3-4dea-b1ca-336880d15256/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e15496d7-da94-54cf-ac92-c8f109458674", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145912Z", "creation_date": "2026-03-23T11:45:32.145914Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145919Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d9f15d91397d1c8d01b6d6871c4f18f3a85ca85f091a92f4e9221524344ca5fe", "comment": "Malicious Kernel Driver (aka driver_d9f15d91.sys) [https://www.loldrivers.io/drivers/576bb95a-f15e-4a0d-bcee-08791e1504e2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e15f2979-06b1-5cab-8cef-be42b7834720", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836282Z", "creation_date": "2026-03-23T11:45:30.836285Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836294Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "526d9241fcf4b67d9c11103a007f648e4f7acb5c82d6bc10df1d836c11d44a03", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e1607942-a038-5718-b613-8aa5fc4886ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606667Z", "creation_date": "2026-03-23T11:45:29.606669Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606675Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd15583e9503a6a5e37aa695a9625fe10abb0ea67f298ef529e0061d67aca99b", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e162139f-f7cc-50d7-80b3-875f45d23bb4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981420Z", "creation_date": "2026-03-23T11:45:29.981422Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981427Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d8cfc9abea6d83dfea6da03260ff81be3b7b304321274f696ff0fdb9920c645", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e170d139-8d3a-58d0-bb5b-af7d4ca11b6b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473059Z", "creation_date": "2026-03-23T11:45:31.473062Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473070Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ccff824db4c41ee922e8f65035b198ae0d5a28861b3d1cf184a15bc90487ad6a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e1720f4d-13c4-50de-b21a-d2ef141ca899", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472124Z", "creation_date": "2026-03-23T11:45:30.472127Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472137Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ac1af529c9491644f1bda63267e0f0f35e30ab0c98ab1aecf4571f4190ab9db4", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e17b7f53-a818-54b0-aff3-0eaf76c8b300", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971821Z", "creation_date": "2026-03-23T11:45:29.971823Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971828Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "af7b9e3dca8fd4f9eb548bd06cf9f14dbce9f947fc375064aa90b47e7ee8940c", "comment": "PowerTool Hacktool malicious driver (aka kEvP64.sys) [https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HackTool.Win64.ToolPow.A/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e181caf6-5a5d-5f43-9fd8-212e8d61d575", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141664Z", "creation_date": "2026-03-23T11:45:31.141665Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141671Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7415b025a04d7c655815c27eff2c449ff2a88a2ed8ebede11ba705c87f5b6cbc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e18986d9-c37b-5317-a517-5819d5e8fd66", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971282Z", "creation_date": "2026-03-23T11:45:29.971286Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971294Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "45f42c5d874369d6be270ea27a5511efcca512aeac7977f83a51b7c4dee6b5ef", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e1b17f61-2b1f-518e-9f81-cb0ece8062b2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469629Z", "creation_date": "2026-03-23T11:45:30.469632Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469641Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6f18cb98188952eb08367adc1c6810e4b1c3902240fdcb15efa0ffb1b69a5f98", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e1b75aa4-8796-5d9e-86d1-ed431c9ef5c4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621246Z", "creation_date": "2026-03-23T11:45:29.621248Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621253Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2da330a2088409efc351118445a824f11edbe51cf3d653b298053785097fe40e", "comment": "ASUSTeK vulnerable physmem driver (aka AsIO64.sys) [https://www.loldrivers.io/drivers/79692987-1dd0-41a0-a560-9a0441922e5a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e1c9ff54-3610-5e58-bf7a-e7cf920d45de", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489213Z", "creation_date": "2026-03-23T11:45:31.489215Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489221Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6ec994d3d1963e5ae76bee42edcb54357370e218c41a07851bf13ec0a3220d7f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e1d37d52-0fea-5be7-bf93-50410832e083", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831677Z", "creation_date": "2026-03-23T11:45:30.831679Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831684Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0e7da30faa89f8c902845f7907295541eb3d2f5d9f1a7cda6456255cfd3b3789", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e1d46c39-3d2c-5fa3-a204-d1b72091b370", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830861Z", "creation_date": "2026-03-23T11:45:30.830863Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830880Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ceeff1bc2380597228991c7ac8f03a3106822e7fc93548ed0b48706355743e7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e1d61157-e381-54d7-b5da-0a6ca49dca2d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499641Z", "creation_date": "2026-03-23T11:45:31.499644Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499652Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a7c2281f2a8c6b76a815a9e3ee68a3b4fcf0deaead3bf5c9784d6d75eae77135", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e1e083b0-ba0e-59ce-8224-8af614b2fc4a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465654Z", "creation_date": "2026-03-23T11:45:30.465657Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465666Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e858de280bd72d7538386a73e579580a6d5edba87b66b3671dc180229368be19", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e1e1bf18-0874-54c4-b85a-472a4b53fa62", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499188Z", "creation_date": "2026-03-23T11:45:31.499191Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499200Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "33a4755218bbe461ac13eb2adb2b32042afca0f6f357134624210e7e2a9ee30c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e1f13007-332b-5996-b722-8d8a9d141a93", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.478216Z", "creation_date": "2026-03-23T11:45:31.478220Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.478230Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b2c503e6bed4a29973c7b27888a52216ee90a3db54aa9cd2ecabee04c028063", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e2085497-e760-5e9f-956a-243fd4a471b0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473125Z", "creation_date": "2026-03-23T11:45:30.473129Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473137Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bc8cb3aebe911bd9b4a3caf46f7dda0f73fec4d2e4e7bc9601bb6726f5893091", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e208ebb8-e51d-501b-b1ca-e32bf84d4d7f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824404Z", "creation_date": "2026-03-23T11:45:31.824408Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824417Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "80f3535ebfa3f9448baa7074386872e8db8fad71da7fa7ef79a0a3ddf694f982", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e20df849-eb71-5be5-9ff7-a8514093e184", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146117Z", "creation_date": "2026-03-23T11:45:32.146120Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146125Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9d06688123a9251aeb76ac8dad2af956566e2f1051550988611c7623dbebb3d3", "comment": "Vulnerable Kernel Driver (aka neofltr.sys) [https://www.loldrivers.io/drivers/c44e6197-efab-49d2-8a5f-04ae4a0f0ea0/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e234e327-12e7-5f8c-92a1-5e1210e296fe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980340Z", "creation_date": "2026-03-23T11:45:29.980342Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980348Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2665d3127ddd9411af38a255787a4e2483d720aa021be8d6418e071da52ed266", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e239108c-8623-5317-99f7-0fdedc38ac1e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819019Z", "creation_date": "2026-03-23T11:45:30.819021Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819026Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "40ebdd21c93146a92536688a230801791a86e2bec2719896a3d629ad930e9f17", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e23f6eac-0453-5211-916d-4ccddfbe0a01", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495417Z", "creation_date": "2026-03-23T11:45:31.495420Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495425Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3f76f5b988cdf003d62c75db7a866a88ff266485bf74e51492134d83b94a9bce", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e247529f-ff12-51f9-ac92-07683f3159b9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613224Z", "creation_date": "2026-03-23T11:45:29.613226Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613232Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a7c6f397f1fb230627bb537e1cf59283be04d17d050a384661e00aba6877b145", "comment": "ASUS vulnerable UEFI Update Driver (aka AsUpIO64.sys and GVCIDrv64.sys) [https://codeinsecurity.wordpress.com/2016/06/12/asus-uefi-update-driver-physical-memory-readwrite/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e2514b33-6230-55f6-bed3-d4f3581fb251", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462984Z", "creation_date": "2026-03-23T11:45:30.462988Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462997Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a85d3fd59bb492a290552e5124bfe3f9e26a3086d69d42ccc44737b5a66673ec", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e253c5e3-dbf2-50c5-9eec-ea5270254fa8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819209Z", "creation_date": "2026-03-23T11:45:30.819211Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819216Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "db0bcfb5bbd93abc8682508af224a1aa5e96f82f037ee0ba26d1d02a3d639a2a", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e267c3eb-213d-53fd-8ab4-02e1ca348d21", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828596Z", "creation_date": "2026-03-23T11:45:30.828598Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828603Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "41de3c49f4f1a68015cafad2d26e52a94ad84c6115ca8a3a6f30f694501166c7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e26c5a57-f487-591b-806b-95b6365e7509", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815815Z", "creation_date": "2026-03-23T11:45:31.815817Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815822Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a9da4966af33f53ca136ed1e329183d4920e8bb6c0d5e78bbe0ef318b110ac54", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e273a147-e68e-5a83-abb0-e9b4e38b4aa0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482122Z", "creation_date": "2026-03-23T11:45:31.482127Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482136Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c052dc397f7511e3efe9ca222a43aa2b23a4d7e0919236dcbfafef1ebbb42d55", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e27d1beb-34e6-5912-b81e-aab112a892a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981957Z", "creation_date": "2026-03-23T11:45:29.981960Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981966Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3a95cc82173032b82a0ffc7d2e438df64c13bc16b4574214c9fe3be37250925e", "comment": "Vulnerable Kernel Driver (aka TGSafe.sys) [https://www.loldrivers.io/drivers/ad693146-4adf-4407-bb20-f2505e34c226/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e27e832f-c988-5829-9bf0-c3cc6899bc3f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985521Z", "creation_date": "2026-03-23T11:45:29.985523Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985529Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0bec69c1b22603e9a385495fbe94700ac36b28e5", "comment": "Malicious BlackCat/ALPHV Ransomware Rootkit (aka fgme.sys, ktes.sys, kt2.sys and ktgn.sys) [https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html] [file SHA1]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e288ee5e-f8d9-58f6-a965-344e85b4f4a5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826728Z", "creation_date": "2026-03-23T11:45:30.826730Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826736Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f24b7c60fa8ca31d84525aa5bb83390a27221a4699e9013cb2d2bfe309cc233b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e28da84a-7eff-536e-a1cf-bd52ea37fbf1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974818Z", "creation_date": "2026-03-23T11:45:29.974820Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974826Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "81c301c77dbfff44567165139e9a5ee3af2aee838298451c7075dc6e1aae489f", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e2e004d6-948b-56b6-a67f-b422fa79aaa0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487469Z", "creation_date": "2026-03-23T11:45:31.487471Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487477Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "66394d18086f41b56ea4b0ef6292204274c2effc63247934a4b2bf5f9a583d7b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e30ab370-8d90-5e40-8216-01249ab22bb2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459765Z", "creation_date": "2026-03-23T11:45:30.459769Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459777Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1beb15c90dcf7a5234ed077833a0a3e900969b60be1d04fcebce0a9f8994bdbb", "comment": "Vulnerable Kernel Driver (aka Driver7.sys) [https://www.loldrivers.io/drivers/9ca73d04-3349-4c16-9384-94c43335a031/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e3251261-a83c-51ad-8a89-5b24a67cc2a3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144305Z", "creation_date": "2026-03-23T11:45:32.144308Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144318Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fa96eca78a57b779fd398294ae2519b7c4fe9e4369e6e7fa5167aebbe6e0c09a", "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e32629ec-8c02-50fe-9457-71bccff6d1db", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476083Z", "creation_date": "2026-03-23T11:45:31.476087Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476097Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5c16a31bdd0b2163034d3b45dbe7e57ed733d4cc0fdedddc1dd5ca16bb9ebb05", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e334ef88-95ca-50b3-a0dc-2967a51fe2ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613529Z", "creation_date": "2026-03-23T11:45:29.613531Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613536Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a60efb06feeb96bad4b8d814896609b6bda6f130464aa963a881a38a3f06b7cb", "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e3363f98-d8e6-557c-8c91-7f0772b47f24", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140267Z", "creation_date": "2026-03-23T11:45:31.140269Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140278Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d7758ddbec387b671f9027f0feda7d34797ce9e92eebb3bde2087a4d4cab8aeb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e33b69b6-fa1f-5abb-ae24-950ce83782bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836612Z", "creation_date": "2026-03-23T11:45:30.836614Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836620Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e01fc93068d3447fcee27f4d41bfe607ccb0a23c80bf3accd5578de30623b7f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e34249cf-8da0-5997-b98a-cc8c4d0b39cc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471104Z", "creation_date": "2026-03-23T11:45:30.471108Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471117Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "577e381b5d36faf15cde84ed59c51e2dcb65d90140848111429e1c8cfb0553f5", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e34366a5-f864-5021-bb90-411b356f146a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491220Z", "creation_date": "2026-03-23T11:45:31.491223Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491230Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2b6a4ce32a2e97c1f093266abfb29344ce3fa67943623bbeef76f16500ac749d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e3457e60-53e0-5e3c-92eb-22443a9d625f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983264Z", "creation_date": "2026-03-23T11:45:29.983266Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983271Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d7c683ef033ac2dc4dfa0dc61f39931f91c0e8fd19e613f664cb03e14112ef6e", "comment": "Vulnerable Kernel Driver (aka DBUtilDrv2.sys) [https://www.loldrivers.io/drivers/bb808089-5857-4df2-8998-753a7106cb44/,https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e37d40f3-f9b7-5c2f-80d4-2e7a91f6ba2e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152778Z", "creation_date": "2026-03-23T11:45:31.152781Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152788Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6bb4baa4a8a4b078d79cfd5121ed6ba35b52a59cfb76e975fa68ca4feb39228a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e384213f-d380-5c64-a267-fb4d5916b9fe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481422Z", "creation_date": "2026-03-23T11:45:31.481426Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481436Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8ec96f1f1d48a9a6ed971de2bae57b37f5a4abe8e81e7376a9be53403f62582d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e384b630-08b0-59b7-813f-c9a6b87b9418", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474176Z", "creation_date": "2026-03-23T11:45:30.474179Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474188Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d8e3548efca46a3aceca747622881843b170225957cffeacfd149c25907ecf2d", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e3951ebf-e1a1-5b92-9012-b0523f46d94a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148364Z", "creation_date": "2026-03-23T11:45:31.148366Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148372Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2abf81a54f0c87e8a84aa3cc947670a7e0d0c4a22cc9b64435de29fc3139bd9b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e3972cdf-ddf3-5289-9c01-63c995afe505", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968132Z", "creation_date": "2026-03-23T11:45:29.968134Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968140Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8774638b1b77665496dde96f1016f498bd91c062a9133d4faef6feeb0b7778e7", "comment": "Projector Rootkit malicious drivers (aka KB_VRX_deviced.sys) [https://twitter.com/struppigel/status/1551503748601729025] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e3b1ba13-a439-56f7-84da-c56124cde439", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148114Z", "creation_date": "2026-03-23T11:45:31.148116Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148121Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d23efbd84ed31fbb76a644d27553765f76725fbd97d02f9cdbc390ccb278bae", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e3bc8849-22ad-5370-8d73-3a20875e7504", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477451Z", "creation_date": "2026-03-23T11:45:31.477455Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477465Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "63142b7b40371b449f51a94b8fdfce02ab23e0b9b17539ffbc34caa03a8a3388", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e3d329ba-1554-58e3-b9b1-5b2fafeb4fa7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485579Z", "creation_date": "2026-03-23T11:45:31.485582Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485592Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a685c5633e5f84736ff0df187118feeafc957f8a41cfad02d121d380cf5e7e55", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e3e578e2-95d1-5810-9d1c-fc0a555bebbf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611428Z", "creation_date": "2026-03-23T11:45:29.611430Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611435Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "72f9cb24cfa641876f34967b96244259f95987ef24d1d729c0e483b3eb9a2740", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e3e85930-6b6f-5346-ac89-d0e8d55e060f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836504Z", "creation_date": "2026-03-23T11:45:30.836506Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836512Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab3ef21f5a64c36ddacb54348711f94609850745824185b7286759e635a1c027", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e3ea0e71-eec5-50fe-a18d-69c973fba937", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459157Z", "creation_date": "2026-03-23T11:45:30.459160Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459169Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f3e7bf7b103613844a38afb574817ddaecd00e4d206d891660dbb0e5dfee04e", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e3f1aa89-8f1d-5130-b392-08007300f9d8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474090Z", "creation_date": "2026-03-23T11:45:30.474093Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474102Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "14b04931ee50e5d2560f42cc33b05f047886a8a7d45b3274ae78e5646a1cf1a5", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e3f3721a-89fc-568a-9006-09b242e5680f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612018Z", "creation_date": "2026-03-23T11:45:29.612020Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612027Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0c512b615eac374d4d494e3c36838d8e788b3dc2691bf27916f7f42694b14467", "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e3fc9596-6771-530c-95a8-a5e6dfe1d0f9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976389Z", "creation_date": "2026-03-23T11:45:29.976391Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976400Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e3fd6c85-c1bc-5f85-b843-60329bd5f6f2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457965Z", "creation_date": "2026-03-23T11:45:30.457968Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457977Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "653f6a65e0e608cae217bea2f90f05d8125cf23f83ba01a60de0f5659cfa5d4d", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e3ff176c-17f0-5022-ac80-52219112f312", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612774Z", "creation_date": "2026-03-23T11:45:29.612776Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612782Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1631d124bd8b2917c37abfe0f7b3dfa9e309ec54f69bdab2e2b5de3929d523d7", "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e41669fa-7c44-5aa2-a90b-b93dd4c6dc6f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824461Z", "creation_date": "2026-03-23T11:45:31.824464Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824472Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "153533a9f0457d657ba83aa8266b9682ec4be382c5ba7e9b2a8f46c8e40f1847", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e419957d-8a5d-57b8-aade-b4206bef0dc8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145412Z", "creation_date": "2026-03-23T11:45:31.145414Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145420Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5df6f4e9933b3daca829cd5655b87c96b00660a5ac676a78daa8ae48ae77b820", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e42ae20d-cc86-5322-a490-4b9cf30f150a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981801Z", "creation_date": "2026-03-23T11:45:29.981803Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981809Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dfaefd06b680f9ea837e7815fc1cc7d1f4cc375641ac850667ab20739f46ad22", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e434abe6-b708-509f-bbaa-2fc7db032dd2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825316Z", "creation_date": "2026-03-23T11:45:30.825319Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825327Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7eedcffe6307d3ed362abccdba78c801f02eb6e1ec409b350c85b46af6cb78a8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e439795b-3935-5d3e-9a77-acddecf92b81", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145921Z", "creation_date": "2026-03-23T11:45:31.145924Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145932Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2dc4b9468188d2f82162d605bf5ee5cd15826af5758708dc4df9260c3e301afd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e43bd353-9a22-5267-ab25-e86d8cb33707", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495632Z", "creation_date": "2026-03-23T11:45:31.495635Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495643Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "090c615cc3e63a3960f7ecaad8db7305308a6b38e1a4648a24f75f39a9d59318", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e43e1132-eb39-5857-b0b2-dde3cb8248c4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149536Z", "creation_date": "2026-03-23T11:45:31.149539Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149549Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea1393cb9e0e2e0dcb9447803ef545cd15450888e3d11b95687fec5e7120951c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e4540ad0-a322-51ff-827a-e623ea00cf0c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613824Z", "creation_date": "2026-03-23T11:45:29.613826Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613831Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "20c87381f8f0bf953cb109a5d50a2184c0104cc8ab30e2f94dfba89a5d19b9d8", "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e466229e-6f49-5adb-a49b-76ca430abbee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469571Z", "creation_date": "2026-03-23T11:45:30.469575Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469583Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2c5c067497a0490e9fe79d0e4f9f759af93138b1a0bea08a89af09e119390c7a", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e46a6add-3fef-53a3-8afa-9bddb547f6e4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.482454Z", "creation_date": "2026-03-23T11:45:31.482458Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.482467Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "89df4a4c238e810dfce318f53f61f4837c821f3b6387e82be653d59f1e5202d6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e46c1780-5889-5489-8813-2669a63d87e3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149336Z", "creation_date": "2026-03-23T11:45:31.149338Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149344Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c610def6e9b350c198eeaa929743e1ba961cca04eff5a65b1e5b5eeed71f7d1b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e46e1ee8-407f-5dfb-be22-a02a191749d3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494457Z", "creation_date": "2026-03-23T11:45:31.494459Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494465Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5c095dcbe167ec1a6b128d565954da5d68361780afdf89286860a572bd8210d2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e47e8046-bdf5-52bf-9223-b5e9683b73ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151498Z", "creation_date": "2026-03-23T11:45:31.151501Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151511Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0b2007739377d936d092b86d05f8cbaaf72330033d9a1601fa7b0dda4923f927", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e49510a1-37c7-5849-9ccb-d9d46952dcb4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811933Z", "creation_date": "2026-03-23T11:45:31.811936Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811941Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a277340559f47f2bb547268d30d302864d7b80600e0331d242b29235001b1048", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e4961f21-2f5d-5aa2-9b5f-dd803d0955f3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972198Z", "creation_date": "2026-03-23T11:45:29.972202Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972210Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "785e87bc23a1353fe0726554fd009aca69c320a98445a604a64e23ab45108087", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e498e987-6b6c-5fc7-9dc9-a930230ad597", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818683Z", "creation_date": "2026-03-23T11:45:30.818686Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818691Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9e855f9d5f5f4dc9420f34045df5d2c70498468f076d873571fc62e4015e38d3", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e4a155ab-6117-5a67-97f2-60f2054ca123", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977374Z", "creation_date": "2026-03-23T11:45:29.977376Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977382Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "082d4d4d4ba1bda5e1599bd24e930ae9f000e7d12b00f7021cca90a4600ea470", "comment": "Vulnerable Kernel Driver (aka ProtectS.sys) [https://www.loldrivers.io/drivers/99668140-a8f6-48f8-86d1-cf3bf693600c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e4a22f12-95f2-5f71-bff3-25ce095bebe2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494728Z", "creation_date": "2026-03-23T11:45:31.494730Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494735Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aa0014bf98d3e807ad05fd465c160b2e2a6fc85b63cab8b44571d54636a1a684", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e4a40c04-3718-5057-b001-f426504b92be", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461781Z", "creation_date": "2026-03-23T11:45:30.461784Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461793Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "14bd76f66fe5749d1812f7cf47cc5f9a8a830c53a7ede5e42a14a4140a70f5d2", "comment": "Vulnerable Kernel Driver (aka mhyprotect.sys) [https://www.loldrivers.io/drivers/7abc873d-9c28-44c2-8f60-701a8e26af29/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e4a78d58-c104-5488-9b9d-410cadce7b04", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828155Z", "creation_date": "2026-03-23T11:45:30.828157Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828162Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0ca522bfa1a08f92ad68c77df2ec585452072d87484ae93f778df07af19cf76f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e4a9cb56-a3ad-5750-911b-70ad2ddc2b75", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827954Z", "creation_date": "2026-03-23T11:45:30.827957Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827965Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3807e9a1bc159b9e8fc0c7caad10d7213ff8ed8ad1cea9ea552b093c81bf624b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e4abfe1c-cac0-591d-9f9c-8f685868374f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615255Z", "creation_date": "2026-03-23T11:45:29.615257Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615262Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6f96c129eb96bc4df9a7d247a98fecb9a3801dde63281ac1aba3d2ef869d32a5", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e4b0afa1-1623-5c44-b245-093aa1840e4b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976482Z", "creation_date": "2026-03-23T11:45:29.976484Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976490Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "43374fd68dc06c8491b16d177156444ee44f497bbceafd0165f40ba48bf6802f", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e4b80841-e72b-579a-ac61-f40f15e9d523", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148899Z", "creation_date": "2026-03-23T11:45:31.148901Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148906Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "da991abd9e1c29dd2a1dc0052222d7ca680ef98f7b953ee2f1c97e2edd189c43", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e4ba60c3-c528-5fbf-815c-3171b5cfad2f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968545Z", "creation_date": "2026-03-23T11:45:29.968547Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968552Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2594b3ef3675ca3a7b465b8ed4962e3251364bab13b12af00ebba7fa2211abb2", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e4beb15d-1ab2-5965-92a3-ede31f804fe9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619629Z", "creation_date": "2026-03-23T11:45:29.619631Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619636Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ca213b79336c69128620bc39e6d987c1e605299fb6525344ba1b08b7829197c7", "comment": "Insyde Software dangerous update tool (aka segwindrvx64.sys) [https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Program%3AWin32%2FVulnInsydeDriver.A&threatid=258247] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e4bf71f1-1a99-52d4-a6bc-a9b6fddc6fbd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491394Z", "creation_date": "2026-03-23T11:45:31.491397Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491404Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1cecaab47700515a475fc4a3385b4463a743db9a9612aebbd68f9aa065c7bcd6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e4c41d35-4002-592c-9d97-03390ad0dec0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614885Z", "creation_date": "2026-03-23T11:45:29.614886Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614892Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd4a249c3ef65af285d0f8f30a8a96e83688486aab515836318a2559757a89bb", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e4d35d1e-2b94-55aa-88b6-b5f018cc7526", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817540Z", "creation_date": "2026-03-23T11:45:30.817542Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817547Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "700b9839fde53e91f0847053b4d2eb8d9bd3aca098844510f1fa3bab6a37eb24", "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e4e23811-0d49-56b9-a017-bd44ce8c0c4f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474530Z", "creation_date": "2026-03-23T11:45:30.474533Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474542Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2274f63f88ec9b2d2ecfca3068026d62cf3085f76329b11b37498ce2b2b644a8", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e4e3b56a-2585-5339-bd66-3c8b888f6fac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144236Z", "creation_date": "2026-03-23T11:45:31.144238Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144243Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "18783da092f16c67f269ab2dd4f62600efc3d4eb5a93b279ecfc5be4584b6628", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e4f85165-01a2-5363-9715-55fd1a294dbb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149963Z", "creation_date": "2026-03-23T11:45:31.149965Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149971Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4bc651859a42e13f267b48a759098915bfac28372fd9c18c64ccbac1922adcc8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e5052ef3-4151-5de4-9828-9c1dc06777f6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479047Z", "creation_date": "2026-03-23T11:45:31.479051Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479061Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e0c3dacb935b9f70192e0cade7d8a5cf3003d0a6fd22170198d9be422437e8d0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e5162dd4-961a-5996-95d3-8e6c8c5fca6a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156535Z", "creation_date": "2026-03-23T11:45:31.156537Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156542Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a642fd26c18c5806aa5c5f9208118ff73d4fa6c5a78a29b552552a2160b355ad", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e52455e3-40d0-57fc-882d-79b78cbaf6ae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814389Z", "creation_date": "2026-03-23T11:45:31.814392Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814400Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7e98e71356773016fa51de8a675e58ccc506426d203c13f7ddf3642304ae9db5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e52654c5-b3cb-59b1-b17f-8456e7e35f89", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614249Z", "creation_date": "2026-03-23T11:45:29.614251Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614256Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d55dd56e24df201d1ad2204d565da5e8e6080d895c1ac2873a6afdcbb4c8b8c7", "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e532d449-3187-55e2-b64d-6752d5d8fc61", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604950Z", "creation_date": "2026-03-23T11:45:29.604952Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604958Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "93969f4b5e79795322d88bd491cef1092f93f84c5f4e264e89f31dc9521995e0", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e5489231-42ac-5239-a4cd-ab3f16369f73", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825646Z", "creation_date": "2026-03-23T11:45:31.825648Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825653Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4bee9495bd010444b16de63df1273db3b2b0d4913951bc03da73a39274e1255e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e55b5bea-ace3-5f55-878f-a41272afbb8f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452247Z", "creation_date": "2026-03-23T11:45:30.452251Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452260Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bb29eb4651e3276b14217628e96a1e5d83c4e883cd29ebd75aa704dda462e82d", "comment": "Vulnerable Kernel Driver (aka mhyprot3.sys) [https://www.loldrivers.io/drivers/2aa003cd-5f36-46a6-ae3d-f5afc2c8baa3/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e55d2545-f0b2-54f8-a9df-828cdf1ddcce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456190Z", "creation_date": "2026-03-23T11:45:30.456194Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456203Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "603ccc97a198b004f9fa56deed2295d1b2d42ef01f22d80a00cb28bcf1b85646", "comment": "Vulnerable Kernel Driver (aka kdriver.sys) [https://www.loldrivers.io/drivers/51808fa6-89a4-4f4d-aabc-0a7b0e99e34d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e5709818-95ab-5630-9444-79cc62fae133", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142718Z", "creation_date": "2026-03-23T11:45:31.142720Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142725Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4b831a6ff8e42f6cce281f70dcf2c8a8787f46316804a03d7a55559e6b9819fd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e572d5c6-e785-55f8-8369-8640663b381d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478288Z", "creation_date": "2026-03-23T11:45:30.478291Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478300Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b50b11e2203942695380869c6072e15479290bc57da2ec5df3481a36b8a8561e", "comment": "Vulnerable Kernel Driver (aka vboxdrv.sys) [https://www.loldrivers.io/drivers/2da3a276-9e38-4ee6-903d-d15f7c355e7c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e576b0cf-5f2d-5bf9-ab56-af1e9ee29c46", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984601Z", "creation_date": "2026-03-23T11:45:29.984603Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984609Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ad23d77a38655acb71216824e363df8ac41a48a1a0080f35a0d23aa14b54460b", "comment": "Vulnerable Kernel Driver (aka sfdrvx32.sys) [https://www.loldrivers.io/drivers/2ada18ae-2c52-49b6-b1a0-cf3b267f6dc7/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e581d178-dfb6-5666-afd5-3927e99524cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972970Z", "creation_date": "2026-03-23T11:45:29.972973Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972978Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8137ce22d0d0fc5ea5b174d6ad3506a4949506477b1325da2ccb76511f4c4f60", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e5822ea3-f133-5f6f-b6a4-366101b00e48", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983031Z", "creation_date": "2026-03-23T11:45:29.983033Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983039Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8a844a8d993db0ee1159b096aee959e32bb9155edd9167b1e6aad2e4019202dd", "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e5836158-e976-5d90-8850-15f829447f5d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619894Z", "creation_date": "2026-03-23T11:45:29.619897Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619902Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2645298d84585fa987450aa11687b73739cbbc26abaa8125099cae5889beb211", "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e58d1935-7b5f-5922-a990-9f48583b42ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829977Z", "creation_date": "2026-03-23T11:45:31.829979Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829984Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fb087998562cc6ac2fa31eb975d6d5cb112f05590a4c0026d7261b351ee66994", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e5969a35-df2f-5d38-915a-25ea2f673383", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460322Z", "creation_date": "2026-03-23T11:45:30.460325Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460334Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bac1cd96ba242cdf29f8feac501110739f1524f0db1c8fcad59409e77b8928ba", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e5a07acb-241c-57f5-a7ab-33ba4114581c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146655Z", "creation_date": "2026-03-23T11:45:31.146657Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146663Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6ec76a3ae9ae2579d0aa7e44c6338a1436fbc28bbbeb2f586f3ccea31f7a6ec1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e5a48ccf-bc66-5b65-a4f3-16546467a565", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808686Z", "creation_date": "2026-03-23T11:45:31.808688Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808694Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "37299f468d95e1ad7b169792f34050353f95d6e57cd0a1e0d6b1c20f3481ee09", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e5a978f5-9c98-5931-bb3c-b3c7ccd52133", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817696Z", "creation_date": "2026-03-23T11:45:30.817698Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817703Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f9db97bd12d2d734ccd86045bae1fd5fbeed106ba5cfa519e6fcd9093c1c04a6", "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e5abb75d-c640-518e-8919-d129d537df61", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818495Z", "creation_date": "2026-03-23T11:45:31.818499Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818508Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "220b989ee7056dde3c5e1fbcc26b66ba23b14f3a2b1ea8ea943c7f58aa4b5a44", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e5af8ee1-e553-5193-b423-131a20178fcc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620107Z", "creation_date": "2026-03-23T11:45:29.620110Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620115Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eb71a8ecef692e74ae356e8cb734029b233185ee5c2ccb6cc87cc6b36bea65cf", "comment": "Vulnerable Kernel Driver (aka semav6msr.sys) [https://www.loldrivers.io/drivers/142453a2-a24d-4b35-8922-6d5939f1c0fc/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e5bd0af1-0dc9-509c-b2b9-053a2bdb4866", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617501Z", "creation_date": "2026-03-23T11:45:29.617503Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617508Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "38bb9751a3a1f072d518afe6921a66ee6d5cf6d25bc50af49e1925f20d75d4d7", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e5bf72f2-173f-5150-99bf-0fab059c4e03", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.475730Z", "creation_date": "2026-03-23T11:45:31.475735Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.475745Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "be9a3cad35f1cc574c4ad806004a53d0d2b82e70f00677f15c2563fd93f911dc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e5ccf01e-21f8-5477-b664-3faa190f953f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492179Z", "creation_date": "2026-03-23T11:45:31.492181Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492186Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "70741d40dc7f0f7522b177846cdd4440c191f137642fa22c0eb86861dca5a6f0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e5dfcda8-175d-5a20-bb22-5334588b69f5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976552Z", "creation_date": "2026-03-23T11:45:29.976554Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976560Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "45b9eee68266d1128bc252087f4a8ae18dbb0e0b6317e28bc248b25ca2431a56", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e5e00e10-753d-565c-ad36-70b92a09e07c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145470Z", "creation_date": "2026-03-23T11:45:32.145472Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145478Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4fc254af8ebfa6fc1050f65c17015b39b36693b58f029c2fa1873976cbca52df", "comment": "Malicious Kernel Driver (aka driver_4fc254af.sys) [https://www.loldrivers.io/drivers/85335187-dae0-4f06-acea-209efaf74973/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e5e549b9-d4de-5054-a238-0f6274817a01", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984750Z", "creation_date": "2026-03-23T11:45:29.984753Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984758Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2a652de6b680d5ad92376ad323021850dab2c653abf06edf26120f7714b8e08a", "comment": "Dangerous Physmem Kernel Driver (aka AsrIbDrv.Sys) [https://www.loldrivers.io/drivers/31797996-6973-402d-a4a0-d01ce51e02c0/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e603aef4-f3e1-532d-9aed-c91db07c7e56", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618407Z", "creation_date": "2026-03-23T11:45:29.618409Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618415Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f583cfb8aab7d084dc052dbd0b9d56693308cbb26bd1b607c2aedf8ee2b25e44", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e63e5019-50e8-5685-b3c4-506e0ddea68a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827330Z", "creation_date": "2026-03-23T11:45:31.827332Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827338Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5fbe174f035e18fdd51af52d73eee45479728e84c1e9bb38c2e70ebf77301291", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e63fbe78-6f81-5590-9e60-4927ced8ff0d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979777Z", "creation_date": "2026-03-23T11:45:29.979779Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979784Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9be868eb7e177ee6d762f2a022acf18b6b190fecbe445b3c09fc0494e8244ee8", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e645793a-04ae-59fe-aed6-07603eb92b47", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495023Z", "creation_date": "2026-03-23T11:45:31.495025Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495030Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7788872dc0b5c9b870e18c1be9bfd50e42b3149aff2b6322f3c23f6a4a342342", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e650a3a2-df01-5f66-b36d-9868fd9b4f39", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968668Z", "creation_date": "2026-03-23T11:45:29.968670Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968676Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "66a43661e2bd1e3c1d8f5c3eabd7a7861c5edad3d0fe54d52b26a5ce04f2d874", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e653e82d-b981-588d-baba-e5a8c5c93292", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159498Z", "creation_date": "2026-03-23T11:45:31.159501Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159507Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "91a13c74aaf017149e1ab5295b93fe98adaec813e6b33c36d7b3ca813e706961", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e6562402-d386-5cb9-98a3-aa45e0672d4c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470553Z", "creation_date": "2026-03-23T11:45:30.470556Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470565Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0fe7b0aaeb4b93840492f7d299a5ac481feb74296afcda1da4214db40856f003", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e6654aca-70eb-5793-90c5-4b61d2300745", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.500121Z", "creation_date": "2026-03-23T11:45:31.500124Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.500133Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab650310346e12c495d166265324002af2fe2d71a8cba692a58790ec1a834d4d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e6671165-9be8-5756-a65f-91c681131817", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972577Z", "creation_date": "2026-03-23T11:45:29.972580Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972585Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b2f051ac901ab47d0012a1002cb8b2db28c14e9480c0dd55e1ac11c81ba9285", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e67dafc2-e245-5d0b-b63d-6fe9b653f5c1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982121Z", "creation_date": "2026-03-23T11:45:29.982123Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982129Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "45ba688a4bded8a7e78a4f5b0dc21004e951ddceb014bb92f51a3301d2fbc56a", "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/b03798af-d25a-400b-9236-4643a802846f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e68be877-9184-5e8f-ae55-168f84e6a19f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160927Z", "creation_date": "2026-03-23T11:45:31.160929Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160935Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b205985dc6fb5cc86bc0183295733792f6381cbc4fd71ebadddaa4580efc111b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e696b159-00cc-5604-8380-72a6bee9cff4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480269Z", "creation_date": "2026-03-23T11:45:31.480273Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480283Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "64c691ba709918402a9057476a20c115553114cc561a0e747fe9051a3a6e59e7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e6972193-88d6-5f37-a185-d739c22309dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827838Z", "creation_date": "2026-03-23T11:45:30.827840Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827845Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8b6f84253fa4636d168adb43f17cab909078468c3642370fad468814ee494468", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e69ad721-17ab-5aee-8b0b-6e9f507b9c74", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611325Z", "creation_date": "2026-03-23T11:45:29.611327Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611332Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "942a7b2ebca0edeff5803c8f899ee455c0ec279542c41d2db2664d58c1025c86", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e69c56b2-6322-56ed-a556-3482426443af", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157032Z", "creation_date": "2026-03-23T11:45:31.157034Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157039Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3b161aa3620aeb3f956d2fed22b8031e1f822c8f25dd8658988d40b34082d053", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e69f04f4-1ae0-5d12-862c-973a02400602", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.158974Z", "creation_date": "2026-03-23T11:45:31.158976Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.158982Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19b048d27c93af7f35c406803cadf3f5c11db7a7bbb302a7c3b75814b463c3ff", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e6a80a26-709c-5a5f-bc2d-47af6e11dd4c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815234Z", "creation_date": "2026-03-23T11:45:31.815237Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815242Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f23b826fcf9dbb3f30896d08df697232cf627e7893a47a6d57f1fc9f42cb75c1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e6af817a-bc47-55f0-bdb0-a261c62262e7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823701Z", "creation_date": "2026-03-23T11:45:30.823703Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823709Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "71e98a83634fde14dc0b117a7aaee15ad5926f3dacf573b53390ff0dedc3e219", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e6ca9fb7-73db-5b30-826a-f594e2371182", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973671Z", "creation_date": "2026-03-23T11:45:29.973673Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973678Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5192ec4501d0fe0b1c8f7bf9b778f7524a7a70a26bbbb66e5dab8480f6fdbb8b", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e6d9077d-e298-552e-9575-aba16e43de8d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979411Z", "creation_date": "2026-03-23T11:45:29.979413Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979419Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e6ddea18-6801-537a-b3cb-b61ddecd9cf7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828583Z", "creation_date": "2026-03-23T11:45:31.828585Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828590Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "404ca49fd22c7f9b7e575b5dec71a649c043486886f5f8b2349b0486a38c3e53", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e6e7f4e1-ed2a-5feb-bc40-af648abeaaf0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151281Z", "creation_date": "2026-03-23T11:45:31.151283Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151289Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ecdaef6f3da089597a58aff6ce473394cb9fc3ae32865a08127be953beade95", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e6ec4d76-b073-5241-9b05-1bc4ce5402a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818312Z", "creation_date": "2026-03-23T11:45:30.818314Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818320Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6297556f66cd6619057f3a5b216b314f8a27eebb5fa575ee07a1944aca71ae80", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e6f4d3be-d76d-5abc-afcf-442bf420cc9b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481551Z", "creation_date": "2026-03-23T11:45:31.481555Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481565Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d7c6108816ce5583c38d8f9a98f6e6887eb9c02deb6ec37e1d8c9b09916b12b2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e6f7c745-c581-51fa-9b5d-02d419cb87d4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144446Z", "creation_date": "2026-03-23T11:45:31.144448Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144453Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a562438824f1f074c1eee38e458ca39a2f7452d37e357f3866b1b70b01f4ac26", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e6fe4994-8c6b-569f-901f-4bc1deaeedc3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470430Z", "creation_date": "2026-03-23T11:45:30.470434Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470443Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "26908983e18b807894909d11d6d0fa2d8fbe7544b61184267851c2a839f3b306", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e701b408-1477-59e4-8884-a7f5049a263f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830186Z", "creation_date": "2026-03-23T11:45:31.830188Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830193Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "063c06d788da475d86bf443fe2d87f474cf614d686ba2add3b5fe6116f532194", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e7054bd7-74b6-588d-bd6b-096ed27ddb23", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495761Z", "creation_date": "2026-03-23T11:45:31.495763Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495768Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "da587211d665f55428e281ab6c4ea9164fb8420aa3cb82ff4509c4f10a1d0fef", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e70dadb7-51e4-5b76-91f0-3d6b68d1abe9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484815Z", "creation_date": "2026-03-23T11:45:31.484819Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484829Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e9faef848ca903958f958e420edd216a18621adedfe56fc77d835f8237bcef41", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e710fef6-5112-5732-872a-b3ecff50ec86", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487361Z", "creation_date": "2026-03-23T11:45:31.487363Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487368Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f4daffa9ffe2dacb00343990ee197cb86415519466b5cc3bf8ff33108af51df", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e717fabd-e5de-5109-941b-2e4161f21b07", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476862Z", "creation_date": "2026-03-23T11:45:30.476865Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476887Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "615c391666b0fdaa0a8096320d35c7b951e6a0ee7f984ab3e892f838cb212b60", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e71e6de8-085c-5f5a-b66b-c5d193e6afed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499296Z", "creation_date": "2026-03-23T11:45:31.499299Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499307Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0ca54132ee9953d408688e17facfe8a0bc9bf93e73085c6782ab076a0c3aa2a6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e720683c-966c-53fc-a26d-795070b4fef3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822918Z", "creation_date": "2026-03-23T11:45:30.822920Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822925Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e53dabeff15be08a23fb7eccfd82fd1dbdc3de857b28209dac3b4b2bdc3cb13a", "comment": "Vulnerable Kernel Driver (aka SBIOSIO64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e7363871-e97b-5793-b2aa-fa4e46e6cdee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983920Z", "creation_date": "2026-03-23T11:45:29.983922Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983928Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "46ffe559f5a8f6bd611ac5a9264edf92d8449d8d31b2ddf6b2add5971e309c56", "comment": "Vulnerable Kernel Driver (aka iomem64.sys) [https://www.loldrivers.io/drivers/04d377f9-36e0-42a4-8d47-62232163dc68/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e736570e-0dd2-529b-8304-cd93ce375a2e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828860Z", "creation_date": "2026-03-23T11:45:30.828862Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828868Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f5964b0bb4036485e8424006a47f68e1a6a5b65fbcb6a9381b2915dbc54bd4d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e73ba48e-a6c4-50d7-8926-dff9d4d933ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140856Z", "creation_date": "2026-03-23T11:45:31.140858Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140864Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7dbb58bc5a88defdbb20983a858b122df1c92f3a1be88879e00268db37d380cc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e757c61d-9f0a-5a31-9d47-eb773cdd095b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984407Z", "creation_date": "2026-03-23T11:45:29.984409Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984414Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cfab93885e5129a86d13fd380d010cc8c204429973b776ab1b472d84a767930f", "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e75b4f39-1641-5bfd-8c66-d30636c9c636", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488828Z", "creation_date": "2026-03-23T11:45:31.488830Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488835Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "17d87146257a05e71e2b0c14c753a7a23b24f580684c20744328ee2c17c4a5d4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e7633e6d-d04a-5168-bd96-055676fff9e6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489993Z", "creation_date": "2026-03-23T11:45:31.489997Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490006Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "66389eeb0403a8b8a5e9c86d55015270091a8ce564f7a96daa49e422a5bf12ad", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e766c713-9b84-53c3-a628-0a84a267b9c2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474987Z", "creation_date": "2026-03-23T11:45:30.474991Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475000Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "31fcf4cbe7de8a5d563144e577324f9206bcc24ddf17473b436f1c693dff0ee7", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e76c5e47-70cc-5135-a90c-61db39f43c05", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610492Z", "creation_date": "2026-03-23T11:45:29.610494Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610499Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "60b163776e7b95e0c2280d04476304d0c943b484909131f340e3ce6045a49289", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e783780f-0df8-5d9e-8e38-06e077343de8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832003Z", "creation_date": "2026-03-23T11:45:30.832005Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832011Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6a4c86dc9c64509ec1fd2cbbc9ab3796d9e22987e08be41a82f9171b88a85c01", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e78f66d7-b61e-5b12-8b1c-66e3a6bd661c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608562Z", "creation_date": "2026-03-23T11:45:29.608564Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608569Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "597e7d5feb149d9087888926d1454dc06f1078ab18c948b44f090910da8645f8", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e7916315-04a3-578c-a611-3e9f4b561540", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488152Z", "creation_date": "2026-03-23T11:45:31.488154Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488159Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4157456f9f9b17f3cec65c7b4c0132a9607b95d84b7c91a78531f498b83c7bc5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e79954df-3256-514f-a4b9-f4170bc6e53b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480236Z", "creation_date": "2026-03-23T11:45:31.480240Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480250Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "59234802fe72df8ee65caa625efdbe3cfaeb53d1c9872dc2235947ba03f6a027", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e79e1b11-dccd-5bc9-88b9-ec626201d53a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145262Z", "creation_date": "2026-03-23T11:45:32.145266Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145275Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "77225a99b2e0e2b4007fb2f5a96d356e13deab45b9ef54c175d5452de8a211a7", "comment": "Malicious Kernel Driver (aka driver_77225a99.sys) [https://www.loldrivers.io/drivers/5fb86651-c152-404a-9a2f-0f54b0d2bb55/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e7a5bc55-8cdb-5f1f-9211-3e55da1877b1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826532Z", "creation_date": "2026-03-23T11:45:30.826534Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826539Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "562d931e327967192b2c614968ee90b4e0e1f226c152800d2f6df4e602147203", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e7a98455-6ffb-50cd-9711-71ce7e73ceae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151264Z", "creation_date": "2026-03-23T11:45:31.151266Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151271Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "89138b34b0e057db07d7c6e56992aca0f30faafcce9fe511dcab7d14f3f41279", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e7b10f8f-9b89-5f48-a473-d74180df6515", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824904Z", "creation_date": "2026-03-23T11:45:31.824908Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824917Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ab0442d9b69f0087e4acb3bda60422061c41ded7cf5e197a2bedefc98655993", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e7b85012-0bfe-535d-a54b-254e5e16365c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477643Z", "creation_date": "2026-03-23T11:45:31.477647Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477657Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f22701e787985e0335480e616a36bd33d7df96272a2afa1b812430cfc449a53f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e7cff119-2db4-5ec5-8dae-dd42dcdf982d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820160Z", "creation_date": "2026-03-23T11:45:30.820162Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820167Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f72dbb2a818ba47ca03ffbe50d211050210699c25caec3b97ca960d7286d4b6a", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e7d01e33-9469-5460-bbfb-8420062115aa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972560Z", "creation_date": "2026-03-23T11:45:29.972562Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972568Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2b4c7d3820fe08400a7791e2556132b902a9bbadc1942de57077ecb9d21bf47a", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e7d1fbe6-7be0-5f90-8f3f-c904fc97f431", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475702Z", "creation_date": "2026-03-23T11:45:30.475705Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475714Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "89698cad598a56f9e45efffd15d1841e494a2409cc12279150a03842cd6bb7f3", "comment": "Malicious Kernel Driver (aka wfshbr64.sys) [https://www.loldrivers.io/drivers/ddf661c0-7dfc-4c26-89c5-00cd6a81a139/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e7dce429-7080-5bc4-b6fb-d9a90041bb39", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476598Z", "creation_date": "2026-03-23T11:45:31.476601Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476611Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0cc0132730115b65bfda0adb4de8a1a1c035b1d0eb2384873cf3a5c3cb2efb14", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e7e2f8c9-b0df-5860-9bf4-4ff8f8730a71", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477055Z", "creation_date": "2026-03-23T11:45:30.477058Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477067Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e0e65416f40cf3bea00d77515a7d8ab508d3aa2b7b622a8799a49635c4d5dbb5", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e7ea15a4-f24f-50bb-b25b-5d64d2e1f9e9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809063Z", "creation_date": "2026-03-23T11:45:31.809065Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809071Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0213810e01cabf7f296d17d4bdd768a644ac5ed46ed03428c45fa986a0ece28e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e7ea4f9a-1560-50f9-9a13-0b54c0ad1e4e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155701Z", "creation_date": "2026-03-23T11:45:31.155703Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155708Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1d687eab6e49d5157a820ca9a4788a2cb594c8311a36d0f6b53330adbbd2ed10", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e7ea84e6-c805-5533-9402-7e040d02d78f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810380Z", "creation_date": "2026-03-23T11:45:31.810382Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810387Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "63099e522e7971f91099d1d050e054399d21920b3d843b0553ea054d5488deb1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e7f9fd54-2ac6-53a8-8900-220e3a0f8acb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608138Z", "creation_date": "2026-03-23T11:45:29.608140Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608145Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0f4a442256f785969f8e1325bb98612da17528e76110bb8112cae78e3edcd547", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e810845b-3b8d-5846-ac21-20148bc42b6f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974069Z", "creation_date": "2026-03-23T11:45:29.974092Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974098Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ec5fac0b6bb267a2bd10fc80c8cca6718439d56e82e053d3ff799ce5f3475db5", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e811aeb0-5f41-5992-ba3a-e03f8322daa6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827311Z", "creation_date": "2026-03-23T11:45:31.827313Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827319Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "697df9f2cbd118088a334949a493bb51f5fc6354aa62d61e4143a5d1debbd3c0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e8125746-588c-5e5f-b989-c965156d098a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143060Z", "creation_date": "2026-03-23T11:45:32.143062Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143067Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f8812611cf7120e89e769cc908fabc0c9e49b27fded8dde6a3de51d9ce34f09", "comment": "Vulnerable Kernel Driver (aka msr.sys) [https://www.loldrivers.io/drivers/ee6fa2de-d388-416c-862d-24385c152fad/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e81ffaaa-455f-5271-b5ea-0e77a57f8257", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830274Z", "creation_date": "2026-03-23T11:45:31.830276Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830281Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "95bbc68071b6918824caee3737b1810ee48ac96940de4ff18dd237ea6aa36039", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e835c41b-1d2a-5ea6-98d8-4c5e4bb56e7d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621616Z", "creation_date": "2026-03-23T11:45:29.621618Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621624Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a7860e110f7a292d621006b7208a634504fb5be417fd71e219060381b9a891e6", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e849a909-7f91-548a-a58b-819972b77812", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144707Z", "creation_date": "2026-03-23T11:45:32.144709Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144715Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8da085332782708d8767bcace5327a6ec7283c17cfb85e40b03cd2323a90ddc2", "comment": "Malicious Kernel Driver (aka windivert.sys) [https://www.loldrivers.io/drivers/45a31a17-f78d-48ec-beba-74f6bfc5f96e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e84a8e81-2ed7-5760-b592-6e09412e23ae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.478983Z", "creation_date": "2026-03-23T11:45:31.478987Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.478997Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "569b0bba367c867eb1236fe0a901dbebef28bf1ecd5c9a1191c6b8189e929937", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e864ad60-26d2-508a-8ce3-1a24485ee528", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808486Z", "creation_date": "2026-03-23T11:45:31.808488Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808494Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "671f71f285dcbb8320d7516b52e0bc7842b0a218a0102a516780cb64715ab300", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e865fde4-baf7-54d8-a30e-9a46face5248", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159067Z", "creation_date": "2026-03-23T11:45:31.159069Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159074Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ff3f0bb2e78344e83dcddd3c7d327f2014724b0ded0c2c3f0de6bdfe8c134847", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e87baac3-a164-5029-82f1-a0e2f001d2ac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475159Z", "creation_date": "2026-03-23T11:45:30.475162Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475171Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e", "comment": "Vulnerable Kernel Driver (aka bs_rcio64.sys) [https://www.loldrivers.io/drivers/cacf18a5-6d7d-4a63-92d4-bda386a3da18/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e8973e79-e57d-5534-8f85-168cd87bbb18", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821183Z", "creation_date": "2026-03-23T11:45:31.821186Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821195Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bf79ce5b627fa50bb6f20c54edc8cbfa258bd0614efd921976310cf1d395e80b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e898c861-d93c-5962-a9e4-9a570f592ff5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144147Z", "creation_date": "2026-03-23T11:45:32.144149Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144154Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "44ebb0f534e7cdfec06d5234358d219798a313219b214d72aa23afc5a57d7ea9", "comment": "Malicious Kernel Driver (aka idmtdi.sys) [https://www.loldrivers.io/drivers/c2e98102-2055-48f0-9449-3e7a7f2c0ffe/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e8a348f0-0072-54cd-a187-ecbd9bfcda1f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611010Z", "creation_date": "2026-03-23T11:45:29.611012Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611018Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "55e3b977402be076bfafe332a3fb29ddb6b02edf932d02e963df09adbe89eb91", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e8a79c99-57d0-55ec-9340-ab168040d4c3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830385Z", "creation_date": "2026-03-23T11:45:30.830387Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830393Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "87f8155a5a32e2623d124f29e7391bfb2971b8abe02786066917b950af70a0f9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e8aa54b9-d19b-588a-a0e9-35113f2afd58", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474580Z", "creation_date": "2026-03-23T11:45:31.474585Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474596Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5e5dd268969e13f3af9bdb3c0e7b9a29746d3ae03adefe5457c1d96677395692", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e8be7a3f-aaa8-5389-9542-07d0d46cda35", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816678Z", "creation_date": "2026-03-23T11:45:31.816682Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816691Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6594141aa7f1da404985aa30bb9b063624195dcd3068d73926ec7170d2ec9e82", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e8d4232a-8ca2-5610-ab44-ff9811a36c4d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483244Z", "creation_date": "2026-03-23T11:45:31.483248Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483257Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "32d0ad55f7796709b8c48a94aa442f1d9b00d1352a5f211ad306be35f8b0c807", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e8da4589-d1f2-5eaf-b846-18d806d03117", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810485Z", "creation_date": "2026-03-23T11:45:31.810487Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810493Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "78d1dfb77ee3705dfb820e03e6b035dbc67a85ffbffc889d92b3b8e9f9d123a3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e8ed23f2-7b84-5214-b2c8-fc17aef4df81", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453636Z", "creation_date": "2026-03-23T11:45:30.453639Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453648Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "75822137b0934c2146c789d9f6e52da4de4a191698b68819d6d4b0845bbc34ed", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e8ee87ab-94f6-530c-b942-1eecde0a0529", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492091Z", "creation_date": "2026-03-23T11:45:31.492093Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492098Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6ec4994e72d5712ef2fb4b9c5e1807393f9e9e98e38e479c6f5f66317c6bbc1e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e8eef2d4-d016-5a57-81b9-9e670787bfac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.149671Z", "creation_date": "2026-03-23T11:45:31.149674Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.149682Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1502ec276f542cf65e2d6b5159a04ee611ed06c96a0a51a7ab29985cc5634386", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e8fc1717-973f-50a1-94e9-8a87f6d289bc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985575Z", "creation_date": "2026-03-23T11:45:29.985577Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985583Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "994e3f5dd082f5d82f9cc84108a60d359910ba79", "comment": "Malicious BlackCat/ALPHV Ransomware Rootkit (aka fgme.sys, ktes.sys, kt2.sys and ktgn.sys) [https://www.trendmicro.com/en_us/research/23/e/blackcat-ransomware-deploys-new-signed-kernel-driver.html] [file SHA1]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e8fc473c-4101-5c79-a7ec-6ef2721cea10", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486199Z", "creation_date": "2026-03-23T11:45:31.486202Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486212Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a4e0129f40aeefed92e8353c3c2b73593fd9a4673f8480bcc89cdc28a17325d4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e8ff58fa-f950-5e7f-9baa-b52627149639", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820325Z", "creation_date": "2026-03-23T11:45:31.820328Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820337Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "776a6b62062565f3aaf361c57067ef6b043f7e65a92003ab3e02114f449a17cd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e903fbe4-f3ef-509b-8f2e-1884347e01e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493930Z", "creation_date": "2026-03-23T11:45:31.493933Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493942Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a1ef67421bfa412aa90db0efee2176313bc40cf86ae31875387a47e57a46e561", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e90c2447-e7f4-5a81-834c-72ebc28b9553", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622314Z", "creation_date": "2026-03-23T11:45:29.622316Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622322Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bda99629ec6c522c3efcbcc9ca33688d31903146f05b37d0d3b43db81bfb3961", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e910c018-baaa-5440-b8d9-a72d94db6b9e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981165Z", "creation_date": "2026-03-23T11:45:29.981168Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981173Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "773999db2f07c50aad70e50c1983fa95804369d25a5b4f10bd610f864c27f2fc", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e9136986-a042-5a7b-be5e-65abd504c2c7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479183Z", "creation_date": "2026-03-23T11:45:30.479185Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479191Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7d4ca5760b6ad2e4152080e115f040f9d42608d2c7d7f074a579f911d06c8cf8", "comment": "Vulnerable Kernel Driver (aka NCHGBIOS2x64.SYS) [https://www.loldrivers.io/drivers/d2806397-9ceb-47c8-b5f3-3aabec182ff5/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e937acc5-7c16-52de-92c8-a5c235bafba9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809183Z", "creation_date": "2026-03-23T11:45:31.809186Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809195Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "853a8e09134f2f6bba979fd2c58da7f6891400a1d3466587e5da911f66f9d4a5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e93854a4-a16a-5320-ae16-f3f839e57d62", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140654Z", "creation_date": "2026-03-23T11:45:31.140656Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140661Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a5e0b93a56a54ab0d3a0280792e41e7bc4cbaad8c83296ea36a225257a9083f6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e940579f-7060-5d30-b1e5-134a55e4926c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141255Z", "creation_date": "2026-03-23T11:45:31.141257Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141262Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bce1a5ad428f546c4ed60218c736d488dce97db171a9789c7bb100158adbb823", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e94c01aa-256f-552c-8837-c884ad19928d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978014Z", "creation_date": "2026-03-23T11:45:29.978016Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978022Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5cb1dc26159c6700d6cadece63f6defda642ec1a6d324daefb0965b4e3746f70", "comment": "Vulnerable Kernel Driver (aka bw.sys) [https://www.loldrivers.io/drivers/578d4909-c2ba-4363-b6e3-98fb62d5e55c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e94e621a-2c5a-55e7-b82b-d1a34c5a1683", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.142902Z", "creation_date": "2026-03-23T11:45:32.142904Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.142910Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "490cfbb540dcd70b7bff4fdd62e7ed7400bbfebaf5083523d49f7184670f7b9a", "comment": "Vulnerable Filseclab Driver (aka fildds.sys, filnk.sys and filwfp.sys) [https://twitter.com/SophosXOps/status/1764933865574207677] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e9527af1-2057-5c66-9769-4efe67a412d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464709Z", "creation_date": "2026-03-23T11:45:30.464712Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464720Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "822982c568b6f44b610f8dc4ab5d94795c33ae08a6a608050941264975c1ecdb", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e954db85-c341-5ee6-a1ae-8e884aeb7cd4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820190Z", "creation_date": "2026-03-23T11:45:31.820193Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820201Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b55a7edd07072c5c1113b5ca0cd7183ee46f764b8adf9e21cc59a2f22c3c4d8d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e9569b8d-9423-57db-8da2-b6e9ca02ab66", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.145360Z", "creation_date": "2026-03-23T11:45:31.145362Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.145367Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "57ceafd2895c255019669df566a5e666cc5e285abba0647978b980b1cb858205", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e95819aa-cb4d-5ebc-a7c4-48ed32ed7293", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980699Z", "creation_date": "2026-03-23T11:45:29.980701Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980706Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0d10c4b2f56364b475b60bd2933273c8b1ed2176353e59e65f968c61e93b7d99", "comment": "Vulnerable Kernel Driver (aka CtiIo64.sys) [https://www.loldrivers.io/drivers/de365e80-45cb-48fb-af6e-0a96a5ad7777/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e95e494e-ab8d-5f6e-ada8-329d1dfd4487", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140726Z", "creation_date": "2026-03-23T11:45:31.140728Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140734Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ddef89f6c8b7ed80a517685245b7c4f534703a95f2d69495c7a92a88647ca68c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e95ec03d-a73a-59db-a592-219e57b788b3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488257Z", "creation_date": "2026-03-23T11:45:31.488259Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488265Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c649a4fa9d7e58308b37764114361d3825bd40671dc8bb7db5d5fb35895d9946", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e9650d45-14da-5ba1-92f1-6d87278c3355", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972508Z", "creation_date": "2026-03-23T11:45:29.972510Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972515Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e05eeb2b8c18ad2cb2d1038c043d770a0d51b96b748bc34be3e7fc6f3790ce53", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e96546b5-17a4-598e-9a9e-22103f6e25d3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978912Z", "creation_date": "2026-03-23T11:45:29.978914Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978919Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e2449ccc74e745c0339850064313bdd8dc0eff17b3a4e0882184c9576ac93a89", "comment": "Vulnerable Kernel Driver (aka Black.sys) [https://www.loldrivers.io/drivers/4b047bb8-c605-4664-baed-25bb70e864a1/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e96bafbc-d941-5f9a-8375-beb01ec155c3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612974Z", "creation_date": "2026-03-23T11:45:29.612976Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612981Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "734b74798a680d2e534c14a033858c4081c7879af1f48037d9d5483aa27a7e90", "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e96f5149-b3d7-5a25-b1fc-100855121a43", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616808Z", "creation_date": "2026-03-23T11:45:29.616810Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616819Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aef3985caa213c9e5e0a0d5e75a9a7918a92c08690b5a04a6b14d6372c2dd71c", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e97d5826-1ef7-5acd-ac82-805bd4006eb3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976642Z", "creation_date": "2026-03-23T11:45:29.976644Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976650Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd66e893300e7e59a749fe4e1b1706f8ccb5ae140254def9f5a614648e2da36f", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e981b70e-d33f-5727-a247-eedc09afefdd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620072Z", "creation_date": "2026-03-23T11:45:29.620074Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620079Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9f1229cd8dd9092c27a01f5d56e3c0d59c2bb9f0139abf042e56f343637fda33", "comment": "Intel vulnerable drivers (aka semav6msr.sys and piddrv64.sys) [https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e9891970-1b74-5879-8ef6-410e0bfe9146", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141612Z", "creation_date": "2026-03-23T11:45:31.141614Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141619Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "40a9e2cd3755180f9b1ed21616ec9a8442d5618361a0a17b6332d1ae1bec5058", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e98a8bec-2318-552e-b78e-7ea8b59ef0ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819999Z", "creation_date": "2026-03-23T11:45:31.820003Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820011Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "65799df3a3d3ba7f529daba403ee6c8f5240b6194822266a0fc8f439bb1fdd62", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e98b5d01-ec84-5f96-b279-7761d63cb762", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160065Z", "creation_date": "2026-03-23T11:45:31.160067Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160072Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d7f81fb6afd180e9005b0c8dd178181a296952aab5e3b56c21597924c957edaa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e99216f8-ddb9-58a5-97eb-5fc46a15dad3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976210Z", "creation_date": "2026-03-23T11:45:29.976212Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976218Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f461414a2596555cece5cfee65a3c22648db0082ca211f6238af8230e41b3212", "comment": "Malicious attestation-signed Drivers (aka NodeDriver.sys, 4.sys, Air_SYSTEM10.sys etc.) [https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e99e5531-9025-5a1b-a59c-96b250bf1eeb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835085Z", "creation_date": "2026-03-23T11:45:30.835088Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835097Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8db11ff4f0fbcf58ad118aefcc186ea7b273eefa9b537eee1ec92f0231c44e30", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e9a9c7af-9563-5ecd-badb-3ddae8aad830", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829154Z", "creation_date": "2026-03-23T11:45:31.829157Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829166Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9103c9085a372f4e2a09da45ff210a8096b7dc0c404719504ebf74f009e5deb0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e9ac3a0a-e472-5549-9751-dd0c37185db5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822326Z", "creation_date": "2026-03-23T11:45:31.822328Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822334Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8c827affab0c51c6388453fd855c304358a95e3b9fa4ca9101315169cde72d69", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e9b1fad4-f066-5e1f-adb4-50fdc9f69e93", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982964Z", "creation_date": "2026-03-23T11:45:29.982966Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982971Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "daf549a7080d384ba99d1b5bd2383dbb1aa640f7ea3a216df1f08981508155f5", "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e9b7835a-4ac1-5afb-8071-059bbc53e8a5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477548Z", "creation_date": "2026-03-23T11:45:31.477552Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477562Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aa76f8a295e5013e85b3c8de9b8a4e5ca6052fffcf119a4c0be03743bba8221d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e9be632e-3671-57ba-ad85-dfd3b2c68f6b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819262Z", "creation_date": "2026-03-23T11:45:31.819264Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819273Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6a532a1c1a6177ee75f189805855c15965e689140f2acc14ed4f81a8b82a9869", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e9d591b1-63b1-5b02-b5e2-dff6e1d5c554", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147639Z", "creation_date": "2026-03-23T11:45:31.147641Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147646Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1821221fdd3984994974e6001eda4afbc6ef07e05206587a48cbd9b6d787f220", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e9d7c94d-fd73-50d4-94d7-6d8792e69d05", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148329Z", "creation_date": "2026-03-23T11:45:31.148331Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148337Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "efc3fc8e98ffdc26239f584632c6c8c0ecdec9eb02e4e19ae126c153986bf5b8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e9e79f64-0c08-5f11-953f-b5f6812ffba2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464480Z", "creation_date": "2026-03-23T11:45:30.464483Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464491Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4d42678df3917c37f44a1506307f1677b9a689efcf350b1acce7e6f64b514905", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e9e812b3-1427-5331-a84b-a55e4de5673f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815763Z", "creation_date": "2026-03-23T11:45:31.815766Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815772Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9f96fb7c3a57c6efeb394f119d6965cceb9c58ec395671d12787f48389c0d676", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e9e9709e-0569-54b5-83e0-2ff5ae467c67", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.158935Z", "creation_date": "2026-03-23T11:45:31.158937Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.158943Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1cbcb6ed0338f536d264cd4e851f1e34a84e733cc4d60519c416142f0b5982c7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e9f0ab3a-6209-5be8-94e3-4e17f969d091", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152960Z", "creation_date": "2026-03-23T11:45:31.152963Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152971Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7bd2dd16cd005368abcea9c6f457853ab46a153d058b909f135394d48a3e399f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e9f3f13c-4d62-5364-86ec-f9858a7f1ef3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476468Z", "creation_date": "2026-03-23T11:45:31.476471Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476481Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c1035795567d03236901340505b79a4dd1a7619dc22740a2f6a667ff53249248", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "e9f7f05a-8b8b-5cbd-9a45-7310d0336d63", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982659Z", "creation_date": "2026-03-23T11:45:29.982661Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982667Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "448a507774886c1745beaa86cd0867d93f142f5d2b58d452c5a8250d93359779", "comment": "Malicious Kernel Driver (aka wantd_5.sys) [https://www.loldrivers.io/drivers/3277cecc-f4b4-4a00-be01-9da83e013bcd/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ea04c9ef-ec1f-572e-8253-2c686726e25e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819908Z", "creation_date": "2026-03-23T11:45:31.819911Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819919Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dbc2599da29472e0d376ee3dcd887d3b6eaedddd028f0a7eb22e78185d156ebc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ea04d2f9-91af-56b9-91cf-a9e326868140", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462555Z", "creation_date": "2026-03-23T11:45:30.462559Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462568Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4d03a01257e156a3a018230059052791c3cde556e5cec7a4dd2f55f65c06e146", "comment": "Vulnerable Kernel Driver (aka AsrDrv.sys) [https://www.loldrivers.io/drivers/213676bb-ffb9-4d0d-a442-8cefee63acc1/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ea18466c-3020-5fcf-93ce-2927f5a8a946", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823283Z", "creation_date": "2026-03-23T11:45:31.823286Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823294Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ef85f011947ad77f258a42705c392e9ad9de97e7b4f69f91fb124230e9218bb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ea1d568f-49c2-5386-998c-4d2c97bdd9a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141006Z", "creation_date": "2026-03-23T11:45:31.141008Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141014Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c292ad99577e588b0c252a171b5fd1e708c5f29f2625cb9c2c91077ef768e2a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ea1f40be-64ac-5685-971e-b4ba12436268", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828668Z", "creation_date": "2026-03-23T11:45:30.828670Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828675Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0d4e9ba2a651657a68ee5b97e3f648e2b3670eea824edf5a07eb39c1a6dc4beb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ea21a4cc-4d9c-589c-8ab9-284c5d2fdd35", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618390Z", "creation_date": "2026-03-23T11:45:29.618392Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618398Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "84df20b1d9d87e305c92e5ffae21b10b325609d59d835a954dbd8750ef5dabf4", "comment": "Vulnerable Kernel Driver (aka netfilterdrv.sys) [https://www.loldrivers.io/drivers/f1dcb0e4-aa53-4e62-ab09-fb7b4a356916/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ea2367f4-d834-5ab0-81ed-89f0fe314e67", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459793Z", "creation_date": "2026-03-23T11:45:30.459797Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459805Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7fba2584bb4fb801f322e3a63253ffac36a76d9dc5f0a4747746b0791e2a0d0b", "comment": "Vulnerable Kernel Driver (aka Driver7.sys) [https://www.loldrivers.io/drivers/9ca73d04-3349-4c16-9384-94c43335a031/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ea3824d0-459e-522e-80a7-8600ae511bbb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477490Z", "creation_date": "2026-03-23T11:45:30.477493Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477502Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9ca586b49135166eea00c6f83329a2d134152e0e9423822a51c13394265b6340", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ea4e71a1-fedc-5dfa-baec-634bfd0ce84d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829301Z", "creation_date": "2026-03-23T11:45:31.829305Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829314Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "723b21973a67f54ac06570f3e8dabebc5feb346a478becc16093c3d76cf67200", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ea4ee273-ed33-5c08-b850-cd8a2daa4ad2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144670Z", "creation_date": "2026-03-23T11:45:32.144672Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144678Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2f43f4251be4d72dd56c91bf6cce475d379eb9ba6c4dda2be3022ea633d5e807", "comment": "Malicious Kernel Driver (aka windivert.sys) [https://www.loldrivers.io/drivers/45a31a17-f78d-48ec-beba-74f6bfc5f96e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ea5ca6dd-98ca-5d69-ab28-6637260b6945", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816782Z", "creation_date": "2026-03-23T11:45:31.816786Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816794Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7a531eba3777600578d44166c38161efa9099a994fb80156ef605f4d2cd4025c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ea61d637-69a7-54d6-a938-7203bd836008", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141345Z", "creation_date": "2026-03-23T11:45:31.141347Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141352Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d60bd5f693f32e13add78e5afb7f733fbe031afa66d93b37eb71afa3542059b1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ea6816bd-cf40-5d2f-b1cc-77ff5bf6792a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613989Z", "creation_date": "2026-03-23T11:45:29.613991Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613996Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bb1135b51acca8348d285dc5461d10e8f57260e7d0c8cc4a092734d53fc40cbc", "comment": "Huawei vulnerable drivers (aka HwOs2Ec10x64.sys and HwOs2Ec7x64.sys) [CVE-2019-5241] [https://www.microsoft.com/security/blog/2019/03/25/from-alert-to-driver-vulnerability-microsoft-defender-atp-investigation-unearths-privilege-escalation-flaw/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ea749a9a-c1dd-59b1-a78a-75dd6502ed98", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157067Z", "creation_date": "2026-03-23T11:45:31.157069Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157074Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d3a55aba512689dcac863c407406500e51c2fc6a50235debdca38d70a174eada", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ea74dc83-cace-5bb4-9440-2f62eb547b20", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836717Z", "creation_date": "2026-03-23T11:45:30.836720Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836725Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7dbca9a9907d361d4ccf6883644fee00f5d13436bedfd27598fe07ee1683f6ee", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ea7e0beb-6f99-5ccf-b96c-d85b5be78d10", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828820Z", "creation_date": "2026-03-23T11:45:31.828822Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828827Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ef2bcf2525e7512880825629aa38263bd8b836dfafdf2caf84963486c9be4bed", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ea7f9e9d-e283-5722-bd3c-8539f49b3086", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153789Z", "creation_date": "2026-03-23T11:45:31.153791Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153796Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e8109fb3d71bf47d43e8715d5362e526cd08d023aa606eb75e39a7b2e5d3e879", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ea899b1c-8c79-5514-b746-89f9c9719bac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140064Z", "creation_date": "2026-03-23T11:45:31.140068Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140077Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1d976f2023dfabea845fea85ab7427c3293196bae53ea20efb2ba1e08fb492b5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ea8b8667-a624-5a33-82ea-88cae4c83610", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816099Z", "creation_date": "2026-03-23T11:45:30.816101Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816107Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dba8db472e51edd59f0bbaf4e09df71613d4dd26fd05f14a9bc7e3fc217a78aa", "comment": "Vulnerable Kernel Driver (aka sysconp.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ea91ff8d-4a04-50c2-8e29-e5f4d67e7ff5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972405Z", "creation_date": "2026-03-23T11:45:29.972407Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972412Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e80597ea0d75e9198428c81ca5b4495bf11922dd29852a0a2e63998e36857746", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eaa010e5-8994-5f69-a730-bbca1c3fb08d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155310Z", "creation_date": "2026-03-23T11:45:31.155312Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155317Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b9582cac23cf8bd3a3d66c09195ab6b0389b3fe35490e3a4db97f6338dfe3948", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eab9a02f-ff01-5a0e-b710-59ec18ab51d1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151469Z", "creation_date": "2026-03-23T11:45:31.151472Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151481Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4b34749d344404ea726643fdca9c68fe7fca58bf17d2baf57afacd1f5654793c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eac1fe17-9270-5699-81aa-2a6df35254d3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473184Z", "creation_date": "2026-03-23T11:45:30.473187Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473196Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6c5c6c350c8dd4ca90a8cca0ed1eeca185ebc67b1100935c8f03eb3032aca388", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eac65c31-301b-5b9c-9927-aea3d0796874", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606043Z", "creation_date": "2026-03-23T11:45:29.606045Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606050Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3503ea284b6819f9cb43b3e94c0bb1bf5945ccb37be6a898387e215197a4792a", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eac65cde-7450-5f8e-ad5c-ad17591f0cad", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816711Z", "creation_date": "2026-03-23T11:45:30.816713Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816719Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1076504a145810dfe331324007569b95d0310ac1e08951077ac3baf668b2a486", "comment": "Vulnerable Kernel Driver (aka tdeio64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eac97563-a472-5e56-92c7-63d7fa9c6a8a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617466Z", "creation_date": "2026-03-23T11:45:29.617468Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617473Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d2182b6ef3255c7c1a69223cd3c2d68eb8ba3112ce433cd49cd803dc76412d4b", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eaca3cc5-3554-5b31-a3ad-b72ea6126aea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473266Z", "creation_date": "2026-03-23T11:45:31.473270Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473279Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4af90ad45d4ddde16668ee510cea281c2b82ec1dd3781b091eb3769e76a6a54e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eacfa977-21a7-582c-a8a0-524f45888ad4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153718Z", "creation_date": "2026-03-23T11:45:31.153720Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153726Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "079eb5d41b6caeb7ca008b3b22a1219fbb76a14327401071bd04fdc05d6e3301", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ead387ba-dcb9-55c2-a59c-aefc236565c2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835720Z", "creation_date": "2026-03-23T11:45:30.835722Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835727Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "80025dbd57fa67b9753652f1bedf4405cfd85e397f470a1cb820deedab1c9666", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ead912e0-3976-5b16-8a15-23ead6cf9af1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489196Z", "creation_date": "2026-03-23T11:45:31.489198Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489203Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "70f812f516906f4af9a2be348c4ed2f49589cfeddfa1d05b3863b0794d61178d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eae2f9fd-8894-573b-9b08-d27c448fd766", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970106Z", "creation_date": "2026-03-23T11:45:29.970108Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970113Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c13745de817eb38a092524cd3dae805c8fbde967e635e485243782db955508cc", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eae4ee15-3638-5cbd-955f-7fa122f9dd53", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978458Z", "creation_date": "2026-03-23T11:45:29.978460Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978465Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "959860cea7a720811a960e28e0318c470948d96ab3ba3312d20fea0f24bc0979", "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/a7628504-9e35-4e42-91f7-0c0a512549f4/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eb0856c4-59dc-5575-a9dc-02ab0f91c1e5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144800Z", "creation_date": "2026-03-23T11:45:32.144803Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144809Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9d5e8700a434838eb63a0573178b4291f07a9d96dabfb4ead40253a3cd9edefd", "comment": "Vulnerable Kernel Driver (aka ViveRRAudio.sys) [https://www.loldrivers.io/drivers/4cb95b41-43b4-4806-b536-ae5fd8c76b0e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eb0a86ab-4216-5ddd-90c3-5e84519d3022", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979446Z", "creation_date": "2026-03-23T11:45:29.979448Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979453Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eb11ae03-395c-5eba-bb9f-1d9403a90a34", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825651Z", "creation_date": "2026-03-23T11:45:30.825653Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825659Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8404e44c1313e7d04dc89fd5e565f27696edb211da48992a843da5bb79eeef17", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eb1484cf-c71e-5a2d-87fd-bf91c7397363", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985162Z", "creation_date": "2026-03-23T11:45:29.985164Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985170Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e0eb0811a7cf1bdaf29d3d2cab373ca51eb8d8b58889ab7728e2d3aed244abe", "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eb1e05ef-f6e0-50e6-9534-544e7485ce8f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460494Z", "creation_date": "2026-03-23T11:45:30.460497Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460506Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f48f31bf9c6abbd44124b66bce2ab1200176e31ef1e901733761f2b5ceb60fb2", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eb228c42-27b2-5d68-b9a7-4a2893b28e01", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458344Z", "creation_date": "2026-03-23T11:45:30.458347Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458356Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "410d79a49c02da50f4567166d5acef977b5dbc3aafb67522939bf902e65596a5", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eb2e91a7-b6ac-59d2-966c-2781a01d40a7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498658Z", "creation_date": "2026-03-23T11:45:31.498661Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498668Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a87819c0f9bc3a1c591d04a3d0bc08ba7275d8c85e59681a6bff4083fe91bd6e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eb30bdf3-2723-5cc7-8ec5-e450a07ac490", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150089Z", "creation_date": "2026-03-23T11:45:31.150091Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150096Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a66de0bc76312ea46da3e5eda7fe9053ffd14a24a587baddafbdf487c85da68b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eb48d59c-3700-5231-9d53-30f1c02c0e4c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819244Z", "creation_date": "2026-03-23T11:45:31.819247Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819252Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d818b61ad6877c1e82c4ac32b86c2da42990919b1c61b068e279c8b5b46ffc4c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eb581438-27f2-5038-9bf8-5009f963cc65", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480868Z", "creation_date": "2026-03-23T11:45:31.480886Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480893Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e03dc0423f91a1d8b7832b10e87e44d89c3533bc5dd09fcbc8581cec881aa028", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eb5fbdec-1845-501b-8519-86903bb30a58", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470698Z", "creation_date": "2026-03-23T11:45:30.470701Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470710Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fa659944a59430edc6162b285d0fa7b6fbfd28b9057f7286eee127888431844e", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eb687ac1-11a1-53ce-96ca-db9b29f7fb52", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141183Z", "creation_date": "2026-03-23T11:45:31.141185Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141191Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "89de85cf244a5dc4591e4f733d8e722f68673b74ebdfafd674bf10f84c9a7b15", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eb6922d5-90a0-51a2-b4c6-3fe8d9b4a31c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614489Z", "creation_date": "2026-03-23T11:45:29.614491Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614496Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "38fa0c663c8689048726666f1c5e019feaa9da8278f1df6ff62da33961891d2a", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eb710708-e0bc-5b8f-8699-2efb84b86cef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821559Z", "creation_date": "2026-03-23T11:45:31.821562Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821571Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b4ec8dfdc14be119b69341a52de33772cbc2efb1078dbdeacdcd35c86356d3d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eb7efdc6-cd7b-526b-8f95-128064b997a8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827716Z", "creation_date": "2026-03-23T11:45:30.827718Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827724Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c67fd4bf9578eb529dd8c4fe6681e1b4a6f5376036aada2e4db6a57db5246ea0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eb80ffef-805b-58d3-a664-e37e62efe32f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476585Z", "creation_date": "2026-03-23T11:45:30.476589Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.476598Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "83e993691aa4f5f599dddd1fab2bc3e0791587c9e93eeb9e405c130922096343", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eb8116ff-b09d-5c0a-b51c-ada5dc6b8bc2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606280Z", "creation_date": "2026-03-23T11:45:29.606284Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606292Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c7fef94e329bd9b66b281539265f989313356cbd9c345df9e670e9c4b6e0edce", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eb8526a5-96ba-527f-a07c-7a15ee8a3e8f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832816Z", "creation_date": "2026-03-23T11:45:30.832818Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832824Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fc49b67101f8ee7db2604bdb42d9c265076e60bd8c73b5d510c4b61f227d7ab5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eba34f89-2e14-5e7b-a005-04b4439f7638", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818923Z", "creation_date": "2026-03-23T11:45:30.818925Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818931Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8c20d10857c37d8ed9151fa95f6bf12f99ef2c0bea36eed2370a1f4da7737951", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ebb05a35-351d-52a1-a7ba-3cf41f860896", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468139Z", "creation_date": "2026-03-23T11:45:30.468143Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468151Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8bec85d128eb0444f10fc89b95b2c6b84a8d0405cb0a6dbc30cff8ea4c0ca043", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ebb3d61c-1806-52db-9594-167f493594a9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485353Z", "creation_date": "2026-03-23T11:45:31.485356Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485366Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "492ae424ec172ebea9d26f0f67a479084d5cef2d9390474003d49941f8a2abe7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ebde7747-3a7f-5ecd-b680-5dfcd6287cf8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490661Z", "creation_date": "2026-03-23T11:45:31.490663Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490668Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "17e831c003dc45f8b63438c8aebf5805cceed30704c1306223964be1e3af7157", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ebff7451-45ef-564d-96e1-7e560c8206cb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807767Z", "creation_date": "2026-03-23T11:45:31.807770Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807779Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1d54ebc14e22dbcda953e2db38cf37e207bd8bfbc24e1ef8ddc0f107cc04d9a0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ec0c6d51-b0c9-535b-8c3e-5ef550219775", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490173Z", "creation_date": "2026-03-23T11:45:31.490175Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490180Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3df162270502add907987cf0deaf5faaa4080956e61de6ecb2fd4d58104ab9d3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ec0e5980-d803-560f-9ab7-5b55d17d5a97", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824240Z", "creation_date": "2026-03-23T11:45:30.824242Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824248Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d8e629a867377e1f49a9827caf036e9e2938d3a85e6e05f9d17a7e9236df2043", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ec0fe2e2-85a1-5e70-90af-f990eefab756", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473574Z", "creation_date": "2026-03-23T11:45:31.473578Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473588Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0d95fd391154cc4ff120ba41ab38120de99f5675d47919103bfc0f7647f872c8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ec17f731-75b0-54e8-bbbc-a193bfab9b3b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495725Z", "creation_date": "2026-03-23T11:45:31.495727Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495733Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ac7835fc414e41ce60a7bdda8f7056a6502f878c19aef5f315b164348e3bb9d0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ec18bce5-2f88-59a2-9065-03e721305abe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461583Z", "creation_date": "2026-03-23T11:45:30.461586Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461595Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9a67626fb468d3f114c23ac73fd8057f43d06393d3eca04da1d6676f89da2d40", "comment": "Malicious Kernel Driver (aka 5a4fe297c7d42539303137b6d75b150d.sys) [https://www.loldrivers.io/drivers/75b9b0c5-dd3e-4cf3-a693-c80f2feabb6a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ec1f5ac6-5f0f-54bd-b6f3-f1129a019eb1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616238Z", "creation_date": "2026-03-23T11:45:29.616240Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616246Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "88df37ede18bea511f1782c1a6c4915690b29591cf2c1bf5f52201fbbb4fa2b9", "comment": "Huawei vulnerable BIOS update tool (aka Phymemx64.sys) [https://www.loldrivers.io/drivers/268e87ba-ad44-4f3c-986f-26712cac68da/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ec258a4f-4d8f-5368-acc1-b3aab8578783", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607595Z", "creation_date": "2026-03-23T11:45:29.607597Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607603Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4b4c925c3b8285aeeab9b954e8b2a0773b4d2d0e18d07d4a9d268f4be90f6cae", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ec283ada-4417-50a0-9258-38c9cb6ae43e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833065Z", "creation_date": "2026-03-23T11:45:30.833068Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833077Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a25c80390c61f13ac79d1ecaf3768450c87e25e6cfc624a3124cce975d6a9212", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ec3774db-a203-59b3-9940-d28015426670", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498200Z", "creation_date": "2026-03-23T11:45:31.498204Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498212Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cbf711e482cd15e4dd7c15317843831c32114b9690df0cba7df4ab0ed2903128", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ec3a654e-3d37-5f88-a402-8884ca748e60", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464654Z", "creation_date": "2026-03-23T11:45:30.464657Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464666Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4dc24fd07f8fb854e685bc540359c59f177de5b91231cc44d6231e33c9e932b1", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ec41d9db-66a8-5ca8-a83a-21804f0b0caf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977189Z", "creation_date": "2026-03-23T11:45:29.977191Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977197Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "72b36c64f0b349d7816c8e5e2d1a7f59807de0c87d3f071a04dbc56bec9c00db", "comment": "ASUS vulnerable VGA Kernel Mode Driver (aka EIO.sys) [https://www.loldrivers.io/drivers/f654ad84-c61d-477c-a0b2-d153b927dfcc/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ec476f7e-bc37-5683-8baa-6ab34ee94050", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617867Z", "creation_date": "2026-03-23T11:45:29.617880Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617886Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0e9072759433abf3304667b332354e0c635964ff930de034294bf13d40da2a6f", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ec4e29c1-20f2-5ca1-a0e7-21bef6b25cf6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473701Z", "creation_date": "2026-03-23T11:45:31.473705Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473715Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "09969e2f95e2468871720c997f479c1e7eec291f9508d8bab54c097649566538", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ec59c5b0-cb29-51b6-be49-befb1da34ac3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817116Z", "creation_date": "2026-03-23T11:45:31.817117Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817123Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "70596abead023e751825869d88ab90ebce30d5dd5dd91a4843846c34b7c81dfc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ec5b1eed-3a22-54c6-9c4c-b9a7d5930607", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473945Z", "creation_date": "2026-03-23T11:45:31.473958Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473968Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1452d24bb5e59c62c57be70d13751ed1b64ffbc70f58767afee40b132e39fd70", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ec5eb4cc-ff6d-5ee5-9489-9727761eafde", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479775Z", "creation_date": "2026-03-23T11:45:30.479777Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479782Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ac26150bc98ee0419a8b23e4cda3566e0eba94718ba8059346a9696401e9793d", "comment": "Vulnerable Kernel Driver (aka capcom.sys) [https://www.loldrivers.io/drivers/b51c441a-12c7-407d-9517-559cc0030cf6/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ec707408-bd85-53a1-bc1e-a705bfdee506", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148205Z", "creation_date": "2026-03-23T11:45:31.148207Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148213Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "02436f1be9a7bd6d83e2166d256df9d7d009c58423a5f534181566575f065475", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ec82d587-a9f1-5196-9f9e-cc487dfa3d2a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620852Z", "creation_date": "2026-03-23T11:45:29.620854Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620860Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5be61901f41d55e6fbd0994869015448f8eb0450ae38f67b75ddb594c3325aac", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ec9749b9-c875-5de9-b273-d7035afd53a7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492055Z", "creation_date": "2026-03-23T11:45:31.492057Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492062Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "65c5ce7ced3df894429ae5afc7280d5f41a46af2bed07bd67915c338f62c0ed3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ec982844-38dd-5f8c-b0b1-6a5ce724060b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144617Z", "creation_date": "2026-03-23T11:45:31.144618Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144624Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aa99f49439a62d581d688d0fa420677d7fb45bc68ad6a998237b32f0acd44abe", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ec9b57fa-3fc8-5f62-ad35-33f7bafafb3d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489281Z", "creation_date": "2026-03-23T11:45:31.489284Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489292Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "25be784945f4308c9e2ee97b66132d938b4a0b298f09bc837809f312257bff10", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eca8f958-78b9-5c3c-88cc-2caffb98c29f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971696Z", "creation_date": "2026-03-23T11:45:29.971698Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971703Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "27f5c5eb9a5fc9e02d3ac3cd83fc26b07f3d0143b03db69d6dcf7554d0c50fb6", "comment": "MalwareFox AntiMalware Vulnerable Driver (aka zam64.sys and zam32.sys) [CVE-2021-31727, CVE-2021-31728] [https://www.loldrivers.io/drivers/e5f12b82-8d07-474e-9587-8c7b3714d60c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ecb1ec53-0ffb-5345-acce-4a68bd1c0d2f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834353Z", "creation_date": "2026-03-23T11:45:30.834356Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834365Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ce3b64eb877bfb70bfa2b7b436a40e95d59a21999f14218bc34bf588bd7b06bd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ecb708fa-2483-5b89-8f08-d2f73a9b3155", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.477741Z", "creation_date": "2026-03-23T11:45:31.477745Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.477755Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f3c55a31740816e8aba78ab270aa26999da006dcea48e73cae0b6bee2e326f4b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ecc12212-a9b6-524e-9544-088928d606ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499590Z", "creation_date": "2026-03-23T11:45:31.499593Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499602Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a5c69d0f3777e09938fc2ecc46b688189241467166c38d9cce8a3ca5379e27e7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ecc5e407-be8e-5825-a998-96feca5bbedb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141576Z", "creation_date": "2026-03-23T11:45:31.141578Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141584Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dc7bd7db82d8aba66b589dc5b48e114df6d20c121b088295ed55798cf6deb427", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ecce9d9a-b037-5514-9ff4-bd171876320a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.472955Z", "creation_date": "2026-03-23T11:45:31.472958Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.472966Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d4522bc656775881708a62fa68dfc0eaee7cc91b542003b426cdc1f6243bb447", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ecde9558-37de-5be8-ace3-7a82be3d474d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975673Z", "creation_date": "2026-03-23T11:45:29.975675Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975680Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cf3180f5308af002ac5d6fd5b75d1340878c375f0aebc3157e3bcad6322b7190", "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ecec630f-04b2-5cc6-a7c5-8a841d48db88", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159085Z", "creation_date": "2026-03-23T11:45:31.159088Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159093Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3e7256f5675f54672942fb1300a20c721bf437cdb4426ba7c412c8ab5fcb1321", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ecf093cc-21aa-55c8-9706-9bef5833626c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820355Z", "creation_date": "2026-03-23T11:45:30.820357Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820363Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e3dbafce5ad2bf17446d0f853aeedf58cc25aa1080ab97e22375a1022d6acb16", "comment": "Vulnerable Kernel Driver (aka rtport.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ecf7870f-0dd6-5477-bb0c-a70660d579b6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807796Z", "creation_date": "2026-03-23T11:45:31.807799Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807806Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "195b6b52d6279cbb21ad736aa73aa01f61a065a4d5dcf8a41a7ee36b9f108a53", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ecff96fc-71e7-5701-b544-ca995e264b3a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476973Z", "creation_date": "2026-03-23T11:45:31.476977Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476987Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e882e73f6cced1a165085580a41d3f1e7659c6d99644a7770d1f385a6668bce", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ed0de857-cf10-5ccb-9bdc-022d9dc4daee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824137Z", "creation_date": "2026-03-23T11:45:31.824140Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824148Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c35a097545fdb2fa0d3b1a1b69e7222629b19eca8347f0a8c23b4603959490fb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ed214459-5d8c-5901-82ad-2511de7ec128", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155684Z", "creation_date": "2026-03-23T11:45:31.155686Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155691Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8cede7500fbd30800c1d05cd70d9ea3c936b20805e62c6e9be432c1fbb1a5a18", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ed2ed9fa-0961-54ec-a829-6e05aeb31293", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143360Z", "creation_date": "2026-03-23T11:45:31.143362Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143367Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0e49ed9c5f345602eb9c0511eed977eb59a1f6d8dd0a570bea8fe10e77ce8a3c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ed2f455d-abcb-5b94-baf0-077990030263", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462792Z", "creation_date": "2026-03-23T11:45:30.462795Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462804Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a906251667a103a484a6888dca3e9c8c81f513b8f037b98dfc11440802b0d640", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ed35e352-78fc-55dd-890e-7f1a063e3d9e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153068Z", "creation_date": "2026-03-23T11:45:31.153071Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153079Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c69bd737aaa422ca1cbf538ba38d8b46981f8252e9e1248f78844e7f261b5e69", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ed379425-d74d-5cf6-bfce-fd244eaaf1e1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160493Z", "creation_date": "2026-03-23T11:45:31.160496Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160504Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "58895b577db6e087173ac632247d3cc559fc5062980db333ca988313db4a1c2e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ed486959-4dee-52af-8046-875acfd28e95", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618185Z", "creation_date": "2026-03-23T11:45:29.618187Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618192Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8162811e8aae05884e8cb84b8dd87c310e5ed5ec588b9023a4d849d558d6ae34", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ed71ad43-7ff2-5500-91e7-4ecc5a408a8f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152315Z", "creation_date": "2026-03-23T11:45:31.152318Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152326Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "75102e174a843b128893b570eacc87b575bfee22ac29cbdcce6fba133537a6b4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ed757c14-7fc0-5b0c-9383-5cd7d2188669", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985978Z", "creation_date": "2026-03-23T11:45:29.985980Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985986Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "751e9376cb7cb9de63e1808d43579d787d3f6d659173038fe44a2d7fdb4fd17e", "comment": "Malicious Kernel Driver related to RedDriver (aka telephonuAfY.sys, spwizimgVT.sys, 834761775.sys, reddriver.sys, typelibdE.sys, NlsLexicons0024UvN.sys and ktmutil7ODM.sys) [https://blog.talosintelligence.com/undocumented-reddriver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ed767e9f-2b06-5dd5-aba0-6cff96246a89", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607782Z", "creation_date": "2026-03-23T11:45:29.607784Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607790Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae6fb53e4d8122dba3a65e5fa59185b36c3ac9df46e82fcfb6731ab55c6395aa", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ed851c6f-a459-5b06-9d90-c7829270b3ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817078Z", "creation_date": "2026-03-23T11:45:31.817080Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817086Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "967b589e8ddfcd69a0c8e0e11db85bbc50a7e6999fba524434dc23510c14d115", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ed863673-1529-58f3-98e8-32331c537a77", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473732Z", "creation_date": "2026-03-23T11:45:31.473735Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473745Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2f8f06b727dd3e71b4cb51cabaf5dec26ec3416f2e09bfb1dbb15e06a12bc65a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ed87a1a6-1ee2-5c69-93d9-9595e8df02a6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619036Z", "creation_date": "2026-03-23T11:45:29.619038Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619043Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e69bba9f8aae090226841a02e6207fb37f784b83c6641ea15bd20e7bd3418d87", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ed8cf419-0d64-5240-9d45-148be9987cf0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490350Z", "creation_date": "2026-03-23T11:45:31.490351Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490357Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2bbd19219a53633c7e815cefd2dbe0dab2eeffcdb35626a9ef3c6cef713f1c95", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ed8d4639-c927-590a-b507-416c40fc013f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967438Z", "creation_date": "2026-03-23T11:45:29.967440Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967445Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b16c3ed44cd04b033621ada7f9ab89d830949b3c9dc26999d862ddbeb7cc5a86", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ed913085-5e2e-512f-aeab-3c058684ab9f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620406Z", "creation_date": "2026-03-23T11:45:29.620408Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620413Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "af095de15a16255ca1b2c27dad365dff9ac32d2a75e8e288f5a1307680781685", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ed9188d2-8033-52ac-a435-27ba71c9b60e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825793Z", "creation_date": "2026-03-23T11:45:31.825797Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825805Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "66b6eac3fbe350daff338f36a721b9428ca0a0e68044c9922754470640dc4e30", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ed933ecb-779b-5fde-a7ed-512119307727", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615657Z", "creation_date": "2026-03-23T11:45:29.615659Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615667Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c1c18591d7b68fafa870f3d0f1124a353682765236674cc7476c5f1cc71b1528", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "edbf231a-c25d-59b7-8492-85f5e2a0f5ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499856Z", "creation_date": "2026-03-23T11:45:31.499859Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499881Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5684e046f0ea1f403754d81777ebba5dc5988355c05e204910ba2b892e749cb0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "edc746f7-8927-589d-85ea-248801903fda", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481841Z", "creation_date": "2026-03-23T11:45:31.481844Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481854Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fa197d0569bc9871bcc78e307e744ccd973d05aaee2b1a297d2ad0c6df427262", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "edd0faab-d72a-5a85-9fbd-174bc1f43368", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463642Z", "creation_date": "2026-03-23T11:45:30.463646Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463654Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "569fe70bedd0df8585689b0e88ad8bd0544fdf88b9dbfc2076f4bdbcf89c28aa", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "edd30f7b-11e4-5764-ad93-d6d76cde2e6b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828724Z", "creation_date": "2026-03-23T11:45:31.828726Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828732Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3ceb5fb4546ea5cff844d1e0b90b60040bec49caaf4eed3b38a42e98952d62a5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ede0e491-01da-5aa6-8da1-5bfc3f524519", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816785Z", "creation_date": "2026-03-23T11:45:30.816787Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816793Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "11832c345e9898c4f74d3bf8f126cf84b4b1a66ad36135e15d103dbf2ac17359", "comment": "Vulnerable Kernel Driver (aka CP2X72C.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ede873ed-cb66-56de-ab35-1713983ebc34", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143980Z", "creation_date": "2026-03-23T11:45:32.143982Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143988Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "88f36fda7dcc6d5af2bcbef29d14fd4032247d4b45f5299944be31441ab53bc1", "comment": "Vulnerable Kernel Driver (aka CSC.sys) [https://www.loldrivers.io/drivers/1c92e1bf-103b-4545-b242-e5a9858ec9c8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "edf1a25a-2899-5820-b9ab-bb5b7a26aff9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622174Z", "creation_date": "2026-03-23T11:45:29.622176Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622181Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d205286bffdf09bc033c09e95c519c1c267b40c2ee8bab703c6a2d86741ccd3e", "comment": "BioStar Racing GT EVO vulnerable driver (aka BS_RCIO64.sys) [CVE-2021-44852] [https://nephosec.com/biostar-exploit/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "edf7f554-cb75-59f6-bdd5-b6fb7897d46f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836468Z", "creation_date": "2026-03-23T11:45:30.836471Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836476Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c77a23599f2eab14c330798defb9189fe1983a394cbee62dbcb725b365c9645b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ee16ce9a-f275-5daa-94e9-44b3648485dc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829125Z", "creation_date": "2026-03-23T11:45:31.829128Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829137Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "304c18db58ffbdc11d35a5475a682c95ab932468cc84c31e98deaa0680fe7ea2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ee1b86ce-53fd-57a6-ab83-a7fdfa460f60", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483340Z", "creation_date": "2026-03-23T11:45:31.483344Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483353Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a33cbfa4c55625d74ced7b1b6c74433fd57882f65677ebe2010191dd8812f0b3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ee1c2bab-e320-51e3-a245-96cbd130303e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978170Z", "creation_date": "2026-03-23T11:45:29.978172Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978178Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "83ac9bf01c2d2ab0f66782fade462864f42b86e53dc455e1441c2a16d0ec2847", "comment": "Malicious Kernel Driver (aka 0x3040_blacklotus_beta_driver.sys) [https://www.loldrivers.io/drivers/8750b245-af35-4bc6-9af3-dc858f9db64f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ee35292b-b6c0-5326-a863-c803f917f178", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154656Z", "creation_date": "2026-03-23T11:45:31.154658Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154663Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a192d1cd870059a96661cb4ec05d5acdb0c7588aeacb390805237e55cf10f073", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ee4ac39b-c7ff-5b43-b199-284e93fff580", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160570Z", "creation_date": "2026-03-23T11:45:31.160572Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160577Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c4ca5d33aef0a2c435fdf1d4d7ee7726121c5b3857249255ab92861dafaf8b06", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ee4f24ab-fa60-5a37-8f94-4c0a3ab7ed84", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606139Z", "creation_date": "2026-03-23T11:45:29.606141Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606146Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "77950e2a40ac0447ae7ee1ee3ef1242ce22796a157074e6f04e345b1956e143c", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ee50abb9-7836-5c47-8f3f-7d75e5dd9bd0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820012Z", "creation_date": "2026-03-23T11:45:30.820014Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820020Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "abbf92203a31c93b8e719cdabff1c681921edbaf43cd34da79c86cb5a806757f", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ee667ac4-91de-5cb7-8d10-14a9e7e9f9cd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822522Z", "creation_date": "2026-03-23T11:45:31.822526Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822534Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "09f0ae64632dc0122b29d4708217d7a8332fef12d91bc8bae5c66ae6c9067385", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ee754b0d-36fd-5d32-b057-a77d8b1079c5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469836Z", "creation_date": "2026-03-23T11:45:30.469840Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469849Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "58ed3bafe401102ddf52c9c2e006408ef181ceaf85741a73328d8fe92195edca", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ee961be6-32df-5df7-a822-784c26004ba7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.820266Z", "creation_date": "2026-03-23T11:45:30.820268Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.820274Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f3fc8f8dddbd471fa2d5deb292552876b3c737b09149307f901e38b53cd62648", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ee98abba-b4e4-501b-ac4f-9b16d36c4f92", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150599Z", "creation_date": "2026-03-23T11:45:31.150601Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150606Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19a6d53a72915b456b800c699c38b30aaaa009939b9ea1e1fa229d57f1ca46db", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eead8ee9-b9bd-51d0-8674-4f54d5b5be3a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479992Z", "creation_date": "2026-03-23T11:45:30.479994Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479999Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1ca20c63d8f56c09c48d0faa1894f2e3fccd4b029fd711d9864355e5f29c19f8", "comment": "Vulnerable Kernel Driver (aka AsmIo64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eeb016a8-5e5e-5744-a789-c9a1a68f5318", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486801Z", "creation_date": "2026-03-23T11:45:31.486804Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486813Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "89a6952035427dfbb70e27e1456e8b13648f205609871924027f4dfc3ade37cf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eeb71fcb-1aa6-5bf3-b1e9-0b20981ee673", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831748Z", "creation_date": "2026-03-23T11:45:30.831750Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831756Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a348c4ac61303db7a1dbab06c95e56abbcd947d394dce5e2316232ce58b22bd9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eeb994b3-e138-5e6a-aecc-8176cc25b143", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977514Z", "creation_date": "2026-03-23T11:45:29.977516Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977521Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5fad3775feb8b6f6dcbd1642ae6b6a565ff7b64eadfc9bf9777918b51696ab36", "comment": "Vulnerable Kernel Driver (aka CorsairLLAccess64.sys) [https://www.loldrivers.io/drivers/a9d9cbb7-b5f6-4e74-97a5-29993263280e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eec9b3ec-9b5b-560c-a8f6-05a9aa396028", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973059Z", "creation_date": "2026-03-23T11:45:29.973061Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973067Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c8eaa5e6d3230b93c126d2d58e32409e4aeeb23ccf0dd047a17f1ef552f92fe9", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eed73264-cbbb-5a19-8ef9-ecae7481d090", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981670Z", "creation_date": "2026-03-23T11:45:29.981674Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981683Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f8886a9c759e0426e08d55e410b02c5b05af3c287b15970175e4874316ffaf13", "comment": "Vulnerable Kernel Driver (aka netflt.sys) [https://www.loldrivers.io/drivers/35a9afeb-18f1-4c02-a3aa-830e300138ae/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eed909b5-6a82-53cd-a387-c62d67abc935", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488621Z", "creation_date": "2026-03-23T11:45:31.488623Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488629Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a7a95440a117482379be31db69537776dbc52c0128e89d9684aaa65e13190713", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eeee10ba-db56-5871-b08d-68b2b2cb4b96", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977278Z", "creation_date": "2026-03-23T11:45:29.977280Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977286Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "37a1a3fa4dc148924c1bfb60c88ffef082ee58cd0ee804d2de0f1d22c1e7802c", "comment": "Malicious CopperStealer Rootkit (aka windbg.sys) [https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "eef8e40f-78f7-572e-85d2-eda0ac8e0695", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156655Z", "creation_date": "2026-03-23T11:45:31.156657Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156662Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c6331505edd1014cc52161204024e2abca62b87158666db06c8524508402a7a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ef0290d0-3329-566b-aeaa-61e94c4d0768", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.824348Z", "creation_date": "2026-03-23T11:45:31.824351Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.824360Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a1921a4cf383b837935c4108ce3369680b097cfc1b05e685e26d53f8bce22c0d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ef0b5f79-66a4-5adf-b74d-71a281deee4f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148434Z", "creation_date": "2026-03-23T11:45:31.148435Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148441Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b19a70942d8a2712416840edb13c6efd0ba483fa62e68496ea437ced7b9519dd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ef111985-c75f-5ada-bc6a-07dcb46fbdb2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978336Z", "creation_date": "2026-03-23T11:45:29.978338Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978343Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3f55375fb70cb355fe7de7f59904b12ef996447cbc7113fefa379995e040d678", "comment": "Malicious Kernel Driver (aka wantd_4.sys) [https://www.loldrivers.io/drivers/72637cb1-5ca2-4ad0-a5df-20da17b231b5/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ef11a8dc-0bc9-5b08-a7c8-a7a85ae901e9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808432Z", "creation_date": "2026-03-23T11:45:31.808434Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808440Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5319f51a82e9725a01e7c6c00bab47a6223aa2b5e36ea39428225ee06cf06247", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ef1c56ab-e16f-5204-a51d-8029bd4bc19c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807351Z", "creation_date": "2026-03-23T11:45:31.807353Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807359Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3bd87b14bf7ea7b946b02aab0f20947ffa672219bfb1683bb2cc8a537978e121", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ef3bc8fd-d979-5543-ab4d-ea5b12285673", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978686Z", "creation_date": "2026-03-23T11:45:29.978688Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978693Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b9623da9ba8e5c80c49473f40ffe7ad315dcadffc3230afdc9d9226d60a715a", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ef40c6b9-422b-5ac6-b5fa-94ed9300a78b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615798Z", "creation_date": "2026-03-23T11:45:29.615800Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615806Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "826e80ea5f657c75127c066b86caea8089f33b09b12c3d393fca8efedd40c1ef", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ef55c5dd-d7aa-59db-82b2-e98e93056af0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456018Z", "creation_date": "2026-03-23T11:45:30.456022Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456031Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c191c7d4ec03c4ef0f51a67af42a90390f75ebd6f83dbc05e317fe5a90a1fb31", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ef57c6b0-6e84-54a9-a434-f431fbf641f8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492556Z", "creation_date": "2026-03-23T11:45:31.492558Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492564Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "210b908936b7bcd3883c3e5b8924fdce25cba194f042e973125205307880af06", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ef63870b-2700-583e-951d-5a7214d58905", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608705Z", "creation_date": "2026-03-23T11:45:29.608707Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608712Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8ff48482c844ad0ab51365b9286197bc3c3173f02d62fc7ded68fc2b299b448b", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ef6a0c1b-977e-5c3a-a7ca-b6add94c0eed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144018Z", "creation_date": "2026-03-23T11:45:32.144020Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144026Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "77cb09dc2fc3c56f3b12ad03a85cedbe3a8e0bb876dadfd76a1fb6c57602817b", "comment": "Malicious Kernel Driver (aka driver_090d409f.sys) [https://www.loldrivers.io/drivers/00561455-9da1-4f0c-8564-e4c99b716a74/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ef6b9b15-a457-5b5b-843e-1e9ca9540352", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160047Z", "creation_date": "2026-03-23T11:45:31.160049Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160054Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "111a37b0a0fbb135ad69da789e5ea53985c444dd0d6f91713c6bdd0d1060524c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ef719e5e-f04f-51f3-8c70-1ad369707863", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489109Z", "creation_date": "2026-03-23T11:45:31.489111Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489116Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "77e344edd8e09c77c87843e37de9a5f286a1db3d41f8593bc970efa7a2a0433d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ef71cb45-3dc1-5ba4-b99a-03796755eb52", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985063Z", "creation_date": "2026-03-23T11:45:29.985065Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985071Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f5215f83138901ca7ade60c2222446fa3dd7e8900a745bd339f8a596cb29356c", "comment": "Dangerous Physmem Kernel Driver (aka Dh_Kernel.Sys) [https://www.loldrivers.io/drivers/dfce8b0f-d857-4808-80ef-61273c7a4183/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ef785546-217b-55f6-b8ef-e431343e35e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494710Z", "creation_date": "2026-03-23T11:45:31.494712Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494718Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "da2330df96145c6bafe1563867de202570112737ea27da2e43bb4ec11e66db25", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ef79d680-d697-54d1-85f1-cb2b858b5ef8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460579Z", "creation_date": "2026-03-23T11:45:30.460583Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460592Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c425793a8ce87be916969d6d7e9dd0687b181565c3b483ce53ad1ec6fb72a17", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ef7f376d-04eb-5cdb-823c-c923c15db51d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469369Z", "creation_date": "2026-03-23T11:45:30.469372Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469381Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fde2df81ad28f2306a2daf636041eb747a035d8f08709cdac2d53987d9edef4a", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ef862a0c-d4d2-5882-a33e-4fcbb2db018a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155241Z", "creation_date": "2026-03-23T11:45:31.155243Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155248Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "14c2cc0a314f51750e274f339c057b88509ec0ff996d1ba13d19317834848019", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ef8baf7d-9f53-5e5d-a45f-e2206661bc77", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829386Z", "creation_date": "2026-03-23T11:45:31.829389Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829398Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ec978cd1362e1f6d9c0afab0a13d9cb10cf9ef35d674451c4c67ad934877a147", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ef93f228-7cb5-5c11-a2d3-c55ae5a65410", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619575Z", "creation_date": "2026-03-23T11:45:29.619577Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619582Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "34f6f68262fb25da9f6c974d6c2be8deb02b251506c847a4d6fc15f0cf5613a0", "comment": "Insyde Software dangerous update tool (aka segwindrvx64.sys) [https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Program%3AWin32%2FVulnInsydeDriver.A&threatid=258247] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "efa69846-5793-5974-a73e-7e1ad7b0ad39", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.471745Z", "creation_date": "2026-03-23T11:45:31.471748Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.471758Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b35ac0a4ee6955a86abdbcc13576b77f4207c67a203e9e3b288cb15a0c7f9e49", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "efa89129-e939-53c8-babe-3780cfc5a234", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826765Z", "creation_date": "2026-03-23T11:45:31.826767Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826772Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "51ad1bbbf59f79eeb923399825ec464589be427c5611d64bb5d47df7a3273240", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "efb244d0-676f-5216-bfe1-945af34706c8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972248Z", "creation_date": "2026-03-23T11:45:29.972250Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972256Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "50bc80ebd0b61bc46a4cacb915602acdecaf47c5c767a020bf103c511327169d", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "efb24eae-ecab-599a-bd79-efbd5742e6ba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159598Z", "creation_date": "2026-03-23T11:45:31.159600Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159606Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "74b5fca7c4240da63fde43eaebb9253fc09743f350b9ff3e4ca2eec24f264ac7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "efb36918-ccb4-57e2-8e7c-321ff1262f45", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823554Z", "creation_date": "2026-03-23T11:45:30.823556Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823562Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a237ca9187b7a3b712c3d82e5a448e424502723bbb5ddc2b7031bc3fda427d39", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "efc0d5f3-03e6-56f9-9e0b-e144cf188019", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811916Z", "creation_date": "2026-03-23T11:45:31.811918Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811923Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0a915b38bdb60aee912061533f0ca8eb81919daa89b39857a35ec596975f6b4b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "efc2d080-97db-5f64-a0a2-bd163c629609", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830204Z", "creation_date": "2026-03-23T11:45:31.830206Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830211Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b004a79cad9699b5442c85257e1a3f4730d5bb55858958c2de0da9f20c75585", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "efd232bd-abaf-5154-aca8-6d97381b1062", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146960Z", "creation_date": "2026-03-23T11:45:32.146963Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146972Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "17a997feed57712f46558b4c99766d5b7722e1b095133b6b391a4743140e45de", "comment": "Vulnerable Kernel Driver (aka CSAgent.sys) [https://www.loldrivers.io/drivers/ca6455d1-b06e-496c-be33-f89c41b27540/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "efd4399e-86a5-5b68-905c-8f2a62601ef2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491760Z", "creation_date": "2026-03-23T11:45:31.491762Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491768Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8671130cfa9caf8f7906a045ffe78863d90b39632b040c27b64c8e2e4ef6907e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "efe50127-f8fe-5435-a84a-ffbe52c3e57b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488081Z", "creation_date": "2026-03-23T11:45:31.488083Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488088Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4e6fa3809d27690bbafec8169babaebf7cad6bbc92a2da46bea44b6449a6555c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "efe550dc-8c22-5146-ab27-d9cc169ee7ad", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982922Z", "creation_date": "2026-03-23T11:45:29.982924Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982929Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "87aae726bf7104aac8c8f566ea98f2b51a2bfb6097b6fc8aa1f70adeb4681e1b", "comment": "Vulnerable Kernel Driver (aka WiseUnlo.sys) [https://www.loldrivers.io/drivers/b28cc2ee-d4a2-4fe4-9acb-a7a61cad20c6/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "efffb64d-ef10-52c7-8bfa-266432c4c6e1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151955Z", "creation_date": "2026-03-23T11:45:31.151959Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151968Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7b70df6587cbc7ac03775ccc56a4e9968f043593e5b7f527ea16bafd83da91a5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f009da7d-f665-555f-aab6-c828df633274", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147518Z", "creation_date": "2026-03-23T11:45:31.147520Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147525Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "65e3626d970e6930fb0b845ca1b248d077b0b28344589b373a6bc4dd17a9d589", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f00ac7d0-b918-5151-b759-f7ef945aa72a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605612Z", "creation_date": "2026-03-23T11:45:29.605614Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605619Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d944cd16626a5e72a3183a6e30e1b44807d4d48d41eb8904beda41de899634e2", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f016559d-ebea-57c9-aa04-28be1a2ca494", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144967Z", "creation_date": "2026-03-23T11:45:32.144969Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144974Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d1ea9e16cefbec53a65a290bb42ee9d6e31218b9d4dfca676b66373cece9a54a", "comment": "Malicious Kernel Driver (aka driver_d1ea9e16.sys) [https://www.loldrivers.io/drivers/8697785a-d088-42a7-ac25-b5c8a3b22664/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f019f337-4c4c-5e3f-b21e-2d853cc47595", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610353Z", "creation_date": "2026-03-23T11:45:29.610355Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610360Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2ef7df384e93951893b65500dac6ee09da6b8fe9128326caad41b8be4da49a1e", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f034cab5-d72a-524a-b8c5-d7cfc6f1cef6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146836Z", "creation_date": "2026-03-23T11:45:32.146838Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146844Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fb0dbc3b9c897b7571b94fb2203ffb1ac0facfe366b2cb1f91904ea5335018f0", "comment": "Vulnerable Kernel Driver (aka BioNTdrv.sys) [https://www.loldrivers.io/drivers/e6378671-986d-42a1-8e7a-717117c83751/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f037a0a8-4c01-5be7-b117-b8209798deff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145131Z", "creation_date": "2026-03-23T11:45:32.145133Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145139Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e38eb95fd1593c73311d426dbd85491494a4521aaa4c4ef66e02f7d6d0339171", "comment": "Malicious Kernel Driver (aka driver_4f9b5a2f.sys) [https://www.loldrivers.io/drivers/b660d253-2b60-46c5-b95a-c354aa5eb154/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f03906e9-ffdf-5077-bd2a-d72b34806ee0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152548Z", "creation_date": "2026-03-23T11:45:31.152552Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152557Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "56555f87cd6b154ea3ddc4195900fbea74f45cd8376b335864733fd4a51c69e7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f0477214-7582-5bda-a0c9-8307b7b9469b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812379Z", "creation_date": "2026-03-23T11:45:31.812383Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812391Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c02cc59bb4fbe9aa64762b1c91edf512cdfc12a9363d396864354d95d3b8492c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f04a159e-819d-5461-93fd-e0db9e3d8621", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140400Z", "creation_date": "2026-03-23T11:45:31.140402Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140407Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "533efbc6f25ded2d796c0c96c8e1bc8b051117e1592b2e66eafe29faeb2b00b3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f0509759-837a-54d5-afdf-f48f3a85863f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612812Z", "creation_date": "2026-03-23T11:45:29.612814Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612819Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4880f40f2e557cff38100620b9aa1a3a753cb693af16cd3d95841583edcb57a8", "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f056e731-5b05-58d5-90ca-2971569220f6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454594Z", "creation_date": "2026-03-23T11:45:30.454597Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454606Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e2a75c0a5e5cb6c28432ff796d5bd6cb154139498c23b2076b5db06b453acb4", "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f0589276-ba84-5e14-9475-6d65cc5c0998", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615623Z", "creation_date": "2026-03-23T11:45:29.615625Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615631Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c1795ec9d05d0efe56e76bf4b76a09a804d3cd5b0e75bc47049d5ee488fc2bec", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f05e2246-9183-5025-9309-244870ac083b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483565Z", "creation_date": "2026-03-23T11:45:31.483569Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483579Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "44c425bee3b0ec076e2d69aec8f1cba7a0a7e696b5956151f5d5e01daf9a276e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f06a3ce5-ea36-5f1e-bc81-4b17a44441cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480268Z", "creation_date": "2026-03-23T11:45:30.480271Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480279Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "33494ed37d4be23b7de493d5f2c9c31a83a7a834c79a5fd7c2a93c1054f583b1", "comment": "Vulnerable Kernel Driver (aka GEDevDrvSYS.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f07a2183-25e1-576d-aac8-6da429b664d7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828225Z", "creation_date": "2026-03-23T11:45:31.828229Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828237Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a330bbf3d7e7df05ccc862ce00558226515259db9beefc461ca52b20bc550ac1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f0842e48-acc8-5301-a18d-6b1d8a87a020", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620798Z", "creation_date": "2026-03-23T11:45:29.620800Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620805Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b9b3878ddc5dfb237d38f8d25067267870afd67d12a330397a8853209c4d889c", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f093affe-0ee2-551c-817c-7f4a71f115c3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454124Z", "creation_date": "2026-03-23T11:45:30.454128Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454137Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d7c79238f862b471740aff4cc3982658d1339795e9ec884a8921efe2e547d7c3", "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/bc5e020a-ecff-43c8-b57b-ee17b5f65b21/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f0994127-6151-5352-9f80-6b55f6c9248d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807370Z", "creation_date": "2026-03-23T11:45:31.807372Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807378Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "504aa932b4c664e62f7958a8284040a3e4e89a8faf53b28ea6cd86d4ea3bc637", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f09c11f2-c992-5566-8d4a-2ed64efdbc3c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819912Z", "creation_date": "2026-03-23T11:45:30.819914Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819919Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "35ad05063e2b44b2e606464f12405b954ac8bc8417fa9732ba13365dbe26f90b", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f0a88f52-7fba-5427-9a57-9f90bdc090eb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826685Z", "creation_date": "2026-03-23T11:45:31.826687Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826694Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d091fd19eadd1cbb97b279d50c022ecd1bf2178a24552086ecf43e1c26e3b8dc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f0b4bc5b-8184-532a-b959-58983c714a70", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832927Z", "creation_date": "2026-03-23T11:45:30.832930Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832938Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fbb1b9ec0952ce9e643da077c2b8a0ad892f94b749c5e1f6d521934c7b85fe37", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f0be8ae1-bc11-56e5-8f81-65a4f7925e2a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818134Z", "creation_date": "2026-03-23T11:45:31.818137Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818146Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cdf3023c31e1d6e135a213d0b6b5ec1042a76f9c3a0aaac5bf3ca44ae7e93dfe", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f0c4e43a-0147-5621-91fc-85ee3f7fcfe5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480099Z", "creation_date": "2026-03-23T11:45:30.480101Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480107Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "59cbdc9190000b1de3719dbdb5d90459c602487672a3bae9c56d8ffae5e64250", "comment": "Vulnerable Kernel Driver (aka stdcdrv64sys.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f0d51228-26d4-5581-af10-29572aabef61", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497596Z", "creation_date": "2026-03-23T11:45:31.497599Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497604Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b7310f23cc50de883174cdd6d2bb3ebeb5f82e9cfe8a600e430260574537a585", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f0d72f79-9ee9-5b63-8d78-30953b161ea7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465709Z", "creation_date": "2026-03-23T11:45:30.465712Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465721Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "07759750fbb93c77b5c3957c642a9498fcff3946a5c69317db8d6be24098a4a0", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f0e66f8b-d6b0-5d17-a2fd-4d2d5e1c0643", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466865Z", "creation_date": "2026-03-23T11:45:30.466881Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466891Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7e1d32e156037b09105c3640d06e5b34fbe0bb49c605697d13b5fc26776fae26", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f10681fb-11c8-53d5-892d-3910a058261e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980603Z", "creation_date": "2026-03-23T11:45:29.980605Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980610Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "39789a159c1196255f1b6d83e23af4082fd4cffe2662e40b71631b4e2e4bc05d", "comment": "Vulnerable Kernel Driver (aka rzpnk.sys) [https://www.loldrivers.io/drivers/1c6e1d3b-f825-4065-9e0c-83386883e40f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f10b8f44-5a16-5d0a-873e-040078513b9c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456982Z", "creation_date": "2026-03-23T11:45:30.456985Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456995Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ce12d9c2996a6626f6fc68415f8a94851b3468c9c62cc408dbdc0227cf77939d", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f10c51b7-b98a-5900-9a99-77ecc1bb544b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494905Z", "creation_date": "2026-03-23T11:45:31.494907Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494912Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9cd1e2a2f242719ea4f69364abc3d0732a119eea406e01c1cd53b3fb4222e66f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f1111198-594d-5e46-a6f3-548f2ed5e68d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815141Z", "creation_date": "2026-03-23T11:45:31.815144Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815149Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fa1c8e1f60b19fe70de7fa80763a193bc85aa4bb1803895a8a849992429633a8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f1111e04-83be-532b-9b22-8ed433340468", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826786Z", "creation_date": "2026-03-23T11:45:30.826790Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826799Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "91ea0f447ba2d2ceee00054c3df287499cb62c73ff272907a7295199ec6a8964", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f11a38ca-434e-531b-9e7a-3001eb011fa1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615468Z", "creation_date": "2026-03-23T11:45:29.615470Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615475Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6bed7f1304c6785a06064b04e0e3cb55384588f18ea2fc348a6fcd5784f47558", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f12e2a70-d771-5ff9-9fda-47f9f2b54240", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156826Z", "creation_date": "2026-03-23T11:45:31.156828Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156833Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bef75f86c7f13b273f45d3bfd16f5875e1a77b5c6932c48eb1aa3729d06913b1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f13fad44-f5c3-5f61-a012-bd27aeab9bb7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495208Z", "creation_date": "2026-03-23T11:45:31.495212Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495221Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "407b5dbd822eea9b5b3edd0cb655f32a46456556fe093782ea97008a489e1f10", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f15b1e12-8ff9-51bd-ac87-1d0072064ad0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608509Z", "creation_date": "2026-03-23T11:45:29.608511Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608517Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c26b51b4c37330800cff8519252e110116c3aaade94ceb9894ec5bfb1b8f9924", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f16e2754-36a2-56b0-8917-0ca513a9787b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.464274Z", "creation_date": "2026-03-23T11:45:30.464277Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.464295Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ddf427ce55b36db522f638ba38e34cd7b96a04cb3c47849b91e7554bfd09a69a", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f174fe92-7627-5b5a-b372-18523243d89c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.977671Z", "creation_date": "2026-03-23T11:45:29.977674Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.977683Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427", "comment": "Malicious Kernel Driver (aka ndislan.sys) [https://www.loldrivers.io/drivers/ca1e8664-841f-4e4b-9e67-3f515cc249c6/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f17a2fde-af7e-51b3-a83e-26cf8ccc52b0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822562Z", "creation_date": "2026-03-23T11:45:31.822564Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822569Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "38980f591007022c8f68c2eabf2aa3cafc10c0e9c309d55b72caeb800b6b9cb3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f1807d93-e4bc-56b6-b0d4-020298ed4860", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140889Z", "creation_date": "2026-03-23T11:45:31.140891Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140897Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fdc25ef91df92c829a9c6a84d113c9d2aba8a2d0e8f4216811b65b24545849a7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f18c26ff-19aa-5bb8-93f3-1f86c2ad22dd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151126Z", "creation_date": "2026-03-23T11:45:31.151128Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151133Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "096b82775ee0664258be2fdbed5010df114b58bbdd5c6d2d13c19d2ad3304c3a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f18d4bae-38cb-57c7-a551-61d373e887d9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828772Z", "creation_date": "2026-03-23T11:45:30.828774Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828780Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3feab99a4a150a7eac92105a60ce736a73c84959e7c219e7609e080e389e21f8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f191ff4f-7a22-52d1-b856-c97c51254e3e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473172Z", "creation_date": "2026-03-23T11:45:31.473176Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473185Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b2728b3f04b4a6bbfcdeeecdf37658ed19efc51801b4e7bde68c874db10a5115", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f19c9e47-a87b-512a-97ef-ddc138101834", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478731Z", "creation_date": "2026-03-23T11:45:30.478734Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478743Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3de38ef40dbda07a537a7e48cb5d59dbd17bf27d5d399b32df737cd67c0cdb25", "comment": "Vulnerable Kernel Driver (aka Tmel.sys) [https://www.loldrivers.io/drivers/1aeb1205-8b02-42b6-a563-b953ea337c19/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f19fb2c4-a6c1-5285-97f0-6b468e58cceb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815561Z", "creation_date": "2026-03-23T11:45:31.815563Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815569Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "14d4cb61507001029e0a38335390e1c5f67b367265fb121444bc1cedd7fc2180", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f1aa4c15-bb4d-5d04-a94f-e9c64a3c7d16", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474146Z", "creation_date": "2026-03-23T11:45:30.474150Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474159Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e05b62738ebb09250227e87908d67a3fc74e4c684d5a86ef935243a6f0e06792", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f1b05792-b635-5a2f-bfbd-80e45e738dba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146438Z", "creation_date": "2026-03-23T11:45:31.146440Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146445Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2dc643b646da999eac18f03008f15fc7a7b3fd5595421c414030f41d779a7fee", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f1b2f70b-c231-5b16-854a-5616cbf61ca8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817587Z", "creation_date": "2026-03-23T11:45:31.817589Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817594Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9bfeefddca836d1ed653f58afb55c1de163ad9ad16ae2d4dd773689215700c36", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f1bd710a-5125-5dd5-a15b-063fb78c0367", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481743Z", "creation_date": "2026-03-23T11:45:31.481747Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481757Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e1639041f4e68b08a44878dd42ea8f9123bfb61a7e551ecc4588aa15c9a108d9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f1bdc46f-a13c-5c02-85c2-286df9d3f7bd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612674Z", "creation_date": "2026-03-23T11:45:29.612679Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612686Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6e64c1bbaa6b5dba3f3795f5932511f8f8a49d68d420267896e2e4e51b9d46bc", "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f1c3031c-2d8f-5415-81c7-7202273e1331", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146726Z", "creation_date": "2026-03-23T11:45:31.146728Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146734Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3deb79134902ff1594ba01d8b3fe1b8538f6679a5bb226db6445c97b9d824fda", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f1d5f552-7b6a-5873-ab52-822835dc9a98", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619160Z", "creation_date": "2026-03-23T11:45:29.619162Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619167Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a00b50cc1d95abc3ada635f331c5911d1aaf9ae8b86d359db6fc7f6fc5eb0c94", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f1d8e0a5-d166-5b0b-a346-2fb8186c760e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146583Z", "creation_date": "2026-03-23T11:45:32.146585Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146590Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "89036534a3da657882da96d9f211ae41efab4083bd6dbedbeaa2516d1d04cff4", "comment": "Malicious Kernel Driver (aka driver_89036534.sys) [https://www.loldrivers.io/drivers/750a8aa9-a87c-4142-b96b-18ea139ada14/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f1db1a3b-5dc5-509d-83de-0402a17b315e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807900Z", "creation_date": "2026-03-23T11:45:31.807904Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807912Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0303bcb24f12bf45eb3dc32a339e8beb5a4b9c7061a5d8284c8d08c418ed1945", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f1dbd499-5d90-55e9-aae7-9cce5299e54c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150669Z", "creation_date": "2026-03-23T11:45:31.150671Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150676Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "94955464e5e0c0d8e02fc1a834edb7b6cac474c07f55ada866de19052596ec94", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f1ddf1ca-6cf6-5487-8de0-8d7772d2f903", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833480Z", "creation_date": "2026-03-23T11:45:30.833483Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833491Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1d4a05d39bdc3085f6ad89d075e134de712d6d291a44d4a6917d49455b6f22e8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f1e310fe-9cd0-5be8-98e4-cbb974b7a281", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830455Z", "creation_date": "2026-03-23T11:45:30.830458Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830463Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2cb79703aca300534076b6a50ce979a0e2f7ef66b925d274d5f129d7326d2e4b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f1e4fa9d-1398-5c6e-8044-ca2f4bca0ce5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.830482Z", "creation_date": "2026-03-23T11:45:31.830484Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830489Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "32407d25620fced3f4ab040008605cc3da0b35f54384b832563877912bc4fe67", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f1e52fd2-25e6-5c40-a575-2fc6df4b5e91", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984839Z", "creation_date": "2026-03-23T11:45:29.984841Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984847Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f43d977a5fb1bdc10837e7c4ff03526d2b8fa9757da9dd8bd6514cd31748a858", "comment": "Dangerous Physmem Kernel Driver (aka AsrSmartConnectDrv.Sys) [https://www.loldrivers.io/drivers/57f63efb-dc43-4dba-9413-173e3e4be750/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f1f798e3-a0f4-5563-9949-a5353781c4cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975411Z", "creation_date": "2026-03-23T11:45:29.975413Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975419Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0ad2d2fe1b16e42f43788dae1f0f45031b5025ef6bcc52360e18812820682f04", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f1fdd0f6-1d05-5427-bb5a-4376e86e88ae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483992Z", "creation_date": "2026-03-23T11:45:31.483996Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484006Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dfdb92dbe9139a155de234bbfa711b98fa3de517456d493a893416836bf6980e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f2030bd3-093f-5ab6-aa1b-b4d8e042d93c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478665Z", "creation_date": "2026-03-23T11:45:30.478669Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478677Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e505569892551b2ba79d8792badff0a41faea033e8d8f85c3afea33463c70bd9", "comment": "Vulnerable Kernel Driver (aka Tmel.sys) [https://www.loldrivers.io/drivers/1aeb1205-8b02-42b6-a563-b953ea337c19/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f20cd15a-7bcf-55af-9382-34a1b17b6769", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816141Z", "creation_date": "2026-03-23T11:45:31.816144Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816151Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4fe6fdcc1b3435a182e6f3425008f4db2a20154f76cb83745d202c30182c2e6a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f218ce3f-d1de-5d2b-ad06-1a52680b1759", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159211Z", "creation_date": "2026-03-23T11:45:31.159213Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159218Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "915c0bc56291c65b9261e47b14a49ebbc08b7df4e05eb1905526950f263dc956", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f223c386-4424-5bd0-a34f-11a45c6bd7b7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452124Z", "creation_date": "2026-03-23T11:45:30.452128Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452138Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "292ada92cd442f78bfafe4098105c5e3f2427589f32ee5999d90b61c422fa445", "comment": "Vulnerable Kernel Driver (aka VBoxUSBMon.sys) [https://www.loldrivers.io/drivers/babe348d-f160-41ec-9db9-2413b989c1f0/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f22a67df-fc5d-5eee-985c-b921e0511785", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823827Z", "creation_date": "2026-03-23T11:45:30.823829Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823835Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b2c0f60a05123a3c8fd93c8a3e8c1c276d1f0966b31f0981cf7c269098e0defb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f22b563e-1309-5632-acf9-2e8a89ba9d47", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452278Z", "creation_date": "2026-03-23T11:45:30.452282Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452291Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "91793baa79b630f452267c408cc7509f25aa7ac0e39e88576e3daed3dcd5d8e5", "comment": "Vulnerable Kernel Driver (aka mhyprot3.sys) [https://www.loldrivers.io/drivers/2aa003cd-5f36-46a6-ae3d-f5afc2c8baa3/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f232cd25-ab49-5580-84ab-1317e112a45b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605082Z", "creation_date": "2026-03-23T11:45:29.605084Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605090Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a742196d6446e5178c3d46180d53889d962f3b1a19bc3439f71cc6ac7b15f430", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f2377ffe-c276-5a49-8f03-64e653f22ec0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146691Z", "creation_date": "2026-03-23T11:45:31.146693Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146698Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8f7f051b49360911cb55e80b8f787582f2d9689f9b9dc19f47ca701acb8a6e1d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f24c4f57-0420-538a-b901-9176e64e3186", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.982748Z", "creation_date": "2026-03-23T11:45:29.982750Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.982755Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "823da894b2c73ffcd39e77366b6f1abf0ae9604d9b20140a54e6d55053aadeba", "comment": "Vulnerable Kernel Driver (aka d4.sys) [https://www.loldrivers.io/drivers/c2e70ee6-2f13-4d43-ad5a-c2bf033cc457/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f25384b6-7caa-511e-8a30-f0b4dffabeab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479332Z", "creation_date": "2026-03-23T11:45:30.479334Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479340Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ae42c1f11a98dee07a0d7199f611699511f1fb95120fabc4c3c349c485467fe", "comment": "Vulnerable Kernel Driver (aka AsrAutoChkUpdDrv_1_0_32.sys) [https://www.loldrivers.io/drivers/02e4a30f-8aa8-4ff0-8e02-1bff1d0f088f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f253c20a-a844-50cf-be15-e0eb8f1280d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974679Z", "creation_date": "2026-03-23T11:45:29.974681Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974686Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "35a7be9b0cde8c3d409a472a320541df070d7af6008e6458a05947f2591da9b5", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f2545873-d660-5d71-8f71-8c8079b56d1e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489022Z", "creation_date": "2026-03-23T11:45:31.489024Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489030Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "803753e083138c834cd826128e990ee00f45f3be01f1de93e800672e4b00209b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f25476cb-c961-5296-a938-571ac89b63dc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819481Z", "creation_date": "2026-03-23T11:45:30.819483Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819488Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d008e636e74c846fe7c00f90089ff725561cb3d49ce3253f2bbfbc939bbfcb2", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f258fd4a-592b-5e68-89b7-96b87ec8025e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836338Z", "creation_date": "2026-03-23T11:45:30.836342Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836348Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0589f6c3c50acf2e31b94c0b8a2813a77bb1706c9aa1ae0430417007028ca3ce", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f264824b-4d3a-5b15-b036-f336fa108edc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490120Z", "creation_date": "2026-03-23T11:45:31.490122Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490127Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c8ff77d20034c3b0e9bd85f352be45931df0e961373a47538d141339d5785ded", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f26b20bd-b63f-5e32-91b8-e2e89ba66add", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147788Z", "creation_date": "2026-03-23T11:45:31.147790Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147796Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c2d5e8cc34820d4627ec5a5c11f9faef59900ae8d5170d6f358e7c2b8a6b25a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f2710301-9527-595e-a5e1-08fa703c27da", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812434Z", "creation_date": "2026-03-23T11:45:31.812436Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812442Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c03d1d6012201bb79d3f8ad1e34e984c9ba537ea8c4d94b935bbcbec0c029774", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f27bb10d-c820-5cab-8145-7eba362fc54a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.161164Z", "creation_date": "2026-03-23T11:45:31.161166Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.161172Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a17bee49182c0edc10ac25613f218cd761d0fca0e3bc73e2b61c79a4a52634a9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f281084a-ccea-5845-8e2f-f5d6002bcaa3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832532Z", "creation_date": "2026-03-23T11:45:30.832534Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832539Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7f2cdd3226b9362cdf99626e0eef83dcbe977585f366edc81e96b95f80289c76", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f283d6e4-cfce-5da7-8875-d328a33dd1cb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154674Z", "creation_date": "2026-03-23T11:45:31.154676Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154681Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b5663df0ac14cf5dd905000d4b233c397136f3123ecea3797ee0f05c5673b2fe", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f29f0779-9865-5616-b0b6-f323e5cefa88", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487344Z", "creation_date": "2026-03-23T11:45:31.487346Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487351Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9d7d52ae8481bf2ee43c8cf9f017587ee836f2834283c36e356142801175b5e1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f2ad3aec-d12e-5843-bd17-24482464ade9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141504Z", "creation_date": "2026-03-23T11:45:31.141506Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141512Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "730660c0335ba73f2adcf2007ff6caea98d69bd9d90d321320b3b3e64eb3b296", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f2bdbd17-0b58-5117-834d-8ed53914d0a2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984372Z", "creation_date": "2026-03-23T11:45:29.984374Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984380Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a88733b88cdc3f3cc040912ce5a3c44fa26f2ea8454cf6fc855b104a4910fa31", "comment": "Vulnerable Kernel Driver (aka inpoutx64.sys) [https://www.loldrivers.io/drivers/91ff1575-9ff2-46fd-8bfe-0bb3e3457b7f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f2c8ec4c-638c-5b79-8f03-2c6954d9497b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.161129Z", "creation_date": "2026-03-23T11:45:31.161131Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.161136Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c9844610c40f241d1a856c4d81ba41904ae465cbf5bfa222a96c665274f0e42d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f2e2c15e-cbbe-5255-9192-0507cb7e3d29", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825079Z", "creation_date": "2026-03-23T11:45:31.825082Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825091Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fcd0c16be348a880d27b7210383009cf79620916321a368e809277ca03680c01", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f2f5affc-2719-5dec-9af8-f26c09dbe8a6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607578Z", "creation_date": "2026-03-23T11:45:29.607580Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607585Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5f5e5f1c93d961985624768b7c676d488c7c7c1d4c043f6fc1ea1904fefb75be", "comment": "Vulnerable Kernel Driver (aka Bs_Def.sys) [https://www.loldrivers.io/drivers/3ac0eda2-a844-4a9d-9cfa-c25a9e05d678/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f2f665e3-f898-559a-a7d3-ed74160376f0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819515Z", "creation_date": "2026-03-23T11:45:30.819517Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819523Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0fc0644085f956706ea892563309ba72f0986b7a3d4aa9ae81c1fa1c35e3e2d3", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f2f6b286-6cd5-55f7-b8b5-d18062d1b7c7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617396Z", "creation_date": "2026-03-23T11:45:29.617398Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617403Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6c6c5e35accc37c928d721c800476ccf4c4b5b06a1b0906dc5ff4df71ff50943", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f2ff97ad-ca65-59cf-9cad-89c044035620", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460708Z", "creation_date": "2026-03-23T11:45:30.460711Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460720Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a0dd3d43ab891777b11d4fdcb3b7f246b80bc66d12f7810cf268a5f6f4f8eb7b", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f3023f78-c3d7-54b7-8000-bc4f9c0a1d0d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615731Z", "creation_date": "2026-03-23T11:45:29.615733Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615738Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "61a3bf24d4e3eac56c380b022dfc195bad4cc8d03156cdc3ba743faab582284a", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f305977c-4376-5019-ac07-3acbffb88bd1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465311Z", "creation_date": "2026-03-23T11:45:30.465314Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465323Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "69866557566c59772f203c11f5fba30271448e231b65806a66e48f41e3804d7f", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f30b5eb3-adad-5714-8676-93378ff9aacb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604167Z", "creation_date": "2026-03-23T11:45:29.604170Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604175Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b5603b60137fed0dfcc95ec10563b0d5fa2e033944019ba5f338f7f7bd2aa45b", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f31d0834-3c43-53a2-abec-226f20be9117", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146203Z", "creation_date": "2026-03-23T11:45:32.146206Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146214Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2a82a5b833cf03738f2d159e2912d2947f5216a4d2adf31a204f365d7ceab430", "comment": "Malicious Kernel Driver (aka 2.sys) [https://www.loldrivers.io/drivers/bb1f80f3-d2fd-463e-9403-57c919bd976b/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f31d757d-9f37-5499-a216-54ca752268f0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153666Z", "creation_date": "2026-03-23T11:45:31.153668Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153673Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "985e930812e841b4eb96dbf53451932109a90b875c7be4631c92383fce269447", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f330b0d6-e2f8-573a-8f06-15fab66995fa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491679Z", "creation_date": "2026-03-23T11:45:31.491682Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491691Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8e688dcd34052f0b04222d1c0d024225f842e5d2529bc2876f4be51b49fd0f06", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f3311e5e-43be-5b8d-957b-96050f09505a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613030Z", "creation_date": "2026-03-23T11:45:29.613032Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613037Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d", "comment": "Hilscher cifX Device Driver abuse (aka Physmem.sys) [https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f33acf16-b08c-5137-b09f-e54ce6e3d779", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610741Z", "creation_date": "2026-03-23T11:45:29.610743Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610748Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bac709c49ddee363c8e59e515f2f632324a0359e932b7d8cb1ce2d52a95981aa", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f3455a32-c6f4-5d0d-9d8f-ab192a9db134", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983421Z", "creation_date": "2026-03-23T11:45:29.983423Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983429Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "630d7bdc20f33e6f822f52533a324865694886b7b74dfaad1dc30c9aee4260a2", "comment": "Vulnerable Kernel Driver (aka My.sys) [https://www.loldrivers.io/drivers/b7ec29c6-e151-4a9f-a293-e61f04ee6489/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f3503be4-8609-5925-a9bd-ed45559c8262", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972543Z", "creation_date": "2026-03-23T11:45:29.972545Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972550Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2a6212f3b68a6f263e96420b3607b31cfdfe51afff516f3c87d27bf8a89721e8", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f35ae36a-1300-55f7-977d-5dca164c6cce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611235Z", "creation_date": "2026-03-23T11:45:29.611237Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611243Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d1c71a98e10105faa0814fec3544474d86ae0e8f88efd77798a716adad3994a2", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f35b8166-c1b7-5d95-825d-7ed52ea9ba84", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829414Z", "creation_date": "2026-03-23T11:45:31.829417Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.829423Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a90c426d7fd9e5f88f28af8dae29291b0e00f540ed4c9fcf87c4dc221a181d74", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f36c0339-2c88-5122-853f-972b8e1f0ee4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144581Z", "creation_date": "2026-03-23T11:45:31.144583Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144588Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c9b96740ab510dc69fab798877b0c3e1cef1599c55eb290c4bc439997263c5f8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f380e67c-48ea-5862-b52c-5ffa314fa187", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470281Z", "creation_date": "2026-03-23T11:45:30.470285Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470294Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e171be5cf5cc1f74ec346a1ab0dfaa38c16da6b4265eed710a3faabfc13b9d56", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f38517ca-86f3-5b0e-b45d-26b107cd1e84", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488205Z", "creation_date": "2026-03-23T11:45:31.488207Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488212Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "19c539073d670babad2182d19b1f1109b33efece3c215616468ff9f3611619a9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f38ddd69-b2c6-54f4-8835-ff067d1b7805", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146248Z", "creation_date": "2026-03-23T11:45:32.146251Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146259Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea7440064405fb9d4bb63876905f14beb70b0b01d26a7ea9b9d25c00932c8cca", "comment": "Malicious Kernel Driver (aka driver_b4f33ffe.sys) [https://www.loldrivers.io/drivers/51a44484-8bcc-4150-8b94-4a755cff0af8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f38e9dc3-712e-57e8-8138-2fd587cddb17", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613770Z", "creation_date": "2026-03-23T11:45:29.613772Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613777Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "55fee54c0d0d873724864dc0b2a10b38b7f40300ee9cae4d9baaf8a202c4049a", "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f39fb600-8c5e-59c0-8f19-50e4565bd9ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144651Z", "creation_date": "2026-03-23T11:45:31.144654Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144660Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "79bef3d6fda11d3622c526f416b837b6c437eaede7466c0fdbe0bcebd9f13d14", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f3a20967-2145-5ec5-adec-9e70a6d1d664", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969836Z", "creation_date": "2026-03-23T11:45:29.969838Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969843Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0bc755f3e24023d931c637b4c734ae3a4d50567c87fd025114e0520413721751", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f3a370b0-7d2d-56b7-8fe4-16dcfa108ad8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975587Z", "creation_date": "2026-03-23T11:45:29.975589Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975594Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab0925398f3fa69a67eacee2bbb7b34ac395bb309df7fc7a9a9b8103ef41ed7a", "comment": "Novell XTier vulnerable driver (aka libnicm.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f3a3f928-f683-549a-86fd-428e4c194264", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974748Z", "creation_date": "2026-03-23T11:45:29.974750Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974756Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c264c3d71a57a5dff031d74bd2f6ef715eff603cc8078df123e862603e096be4", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f3a95707-1745-5a35-ad4a-df0142499e98", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146396Z", "creation_date": "2026-03-23T11:45:32.146398Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146404Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0ffb4081fe867c98118e472538e8a3e6feac2a9d80b5ae2d4e2b621b344cd6d9", "comment": "Malicious Kernel Driver (aka driver_0ffb4081.sys) [https://www.loldrivers.io/drivers/8081b0d0-e18e-474a-bdfa-8ff1956d90cb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f3af80c6-9688-5eb7-a0a0-9633faaeee90", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819464Z", "creation_date": "2026-03-23T11:45:30.819466Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819471Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "848b150ffcf1301b26634a41f28deacb5ccdd3117d79b590d515ed49849b8891", "comment": "Vulnerable Kernel Driver (aka nvoclock.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f3c21312-3d6c-58dd-a1e9-fca63aeb0916", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818108Z", "creation_date": "2026-03-23T11:45:31.818112Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818120Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae91be2d3f55e3012ed209cf55d180a263be25df9494710d2d2bcbdb3e970e26", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f3dcb130-f1d0-5ddf-9b80-023a9726a56b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479222Z", "creation_date": "2026-03-23T11:45:30.479224Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479230Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "035b96ff8b85d312be0f9df6271714392a802ec8bab59ae8229812ddc67ced5a", "comment": "Vulnerable Kernel Driver (aka directio32_legacy.sys) [https://www.loldrivers.io/drivers/7a0842ca-1a64-4ad1-9d66-25eb983d1742/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f3df6038-84ff-55a2-af8c-6edaabf4d318", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824487Z", "creation_date": "2026-03-23T11:45:30.824490Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824497Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "56e55585c72d5e0d8418c5dff56054e130e3b34d8acc0320c79b78edce5ab410", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f3e23a75-a2cd-5881-9b90-ad67f05af6ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484688Z", "creation_date": "2026-03-23T11:45:31.484691Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484702Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "96f6af3a7cb383be7c1271775fcf2c9eb517a37172c11caa629a05cc322308c3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f3f4ede9-6f95-5629-bac5-a661597b98a6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144503Z", "creation_date": "2026-03-23T11:45:32.144505Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144511Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "75aa0f984fdc2d0e1db632b65fbec424a87a8c68a822fca1e503a269eba71f2d", "comment": "Malicious Kernel Driver (aka driver_fdd16a94.sys) [https://www.loldrivers.io/drivers/da066835-f37c-40bf-86bb-d77ad45c7f30/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f3f7e3c4-767f-5263-8dcf-5fc30cf35559", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453490Z", "creation_date": "2026-03-23T11:45:30.453493Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453502Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4b5ef4b48a5b23818e84e415c70bd7058f665cb7cba379d05da689e1cbe1148e", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f3f8530e-1443-57c2-a2ab-d19e50a9e518", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620917Z", "creation_date": "2026-03-23T11:45:29.620919Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620925Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4045ae77859b1dbf13972451972eaaf6f3c97bea423e9e78f1c2f14330cd47ca", "comment": "Phoenix Technologies Vulnerable Physmem drivers (aka Agent64.sys) [https://www.loldrivers.io/drivers/5943b267-64f3-40d4-8669-354f23dec122/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f3fde89d-b46d-5752-bb41-1da9f641aa53", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.461155Z", "creation_date": "2026-03-23T11:45:30.461158Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.461166Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e94d4e6d903e98f60c240dc841dcace5f9e8bbb0802e6648a49ab80c23318cb", "comment": "Vulnerable Kernel Driver (aka sfdrvx32.sys) [https://www.loldrivers.io/drivers/6c0c60f0-895d-428a-a8ae-e10390bceb12/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f406c5dc-72db-556c-a2e4-ca7c0f8ffecd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819934Z", "creation_date": "2026-03-23T11:45:31.819937Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819946Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8db20ae3737c397c8fb079eaeace0f374e1602adc781a948f9172862cc01198e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f41d3378-6fa6-5041-bc0e-3bf5dffd099b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476177Z", "creation_date": "2026-03-23T11:45:31.476181Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476192Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b699cb45b365f537c2bc4fef0ac2837586c1fd3f0986835ad182183a5c39927", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f4262759-77f2-5d3d-a927-229f4a0272ac", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614093Z", "creation_date": "2026-03-23T11:45:29.614095Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614100Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c7d4943ddac34e1a38692c624d799e634ad4c4e3ae7e3bb2ae4cf0d8eb8985bc", "comment": "MICSYS Technology driver (aka MsIo64.sys) [CVE-2019-18845] [https://github.com/kkent030315/MsIoExploit] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f426f4a3-811d-5ff9-b345-cc7977d70f84", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814718Z", "creation_date": "2026-03-23T11:45:31.814722Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814731Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ac1c07a4fb4f034b91dd52083113f06baf89e85eb95ff4e8594b402237b08ef5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f427d5dd-6230-518e-8519-c13d2f7694f5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614421Z", "creation_date": "2026-03-23T11:45:29.614423Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614428Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e8b0c1966e566a523d652e00f7727d8b0663f1dfdce3b9a09b9adfaef48d8ee", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f43d360d-0b3b-57c8-bf5b-a3c99e42cc74", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.488725Z", "creation_date": "2026-03-23T11:45:31.488727Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.488733Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "562c8ce6ac6adcce9ae1ff1031ceb230acb2e6db7d4af9ea680ede81ceb993dd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f43fd366-8964-5767-982e-78384fb87108", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820217Z", "creation_date": "2026-03-23T11:45:31.820220Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820228Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1aaec14ba263d8950a271f31b4720aa83daba86d0f8d5e8bce4148fe55982599", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f45e8d63-fc62-5ecf-a13e-643b0ddee0b8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971731Z", "creation_date": "2026-03-23T11:45:29.971733Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971739Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1aaa9aef39cb3c0a854ecb4ca7d3b213458f302025e0ec5bfbdef973cca9111c", "comment": "PowerTool Hacktool malicious driver (aka kEvP64.sys) [https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HackTool.Win64.ToolPow.A/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f4645f32-4986-540d-a2c1-5837d0bae5a7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148179Z", "creation_date": "2026-03-23T11:45:31.148181Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148189Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d5456e3d16caf28e4ad56e7c047084d89fbe8c312a4d28abb2ae1a6a1ffd4d8e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f474bf69-81e8-5f7f-a95e-4fd8df201661", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822102Z", "creation_date": "2026-03-23T11:45:30.822106Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822116Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "694385b46b72e65604afd251fba3c8febb42225343d38feecec3f424ce45f2c3", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f476fc73-6cee-5943-b34a-529baa2637b2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973130Z", "creation_date": "2026-03-23T11:45:29.973132Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973137Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "45b7ec74cc78651975d01d88308f3231df4c96036d6c2273d79f53abdfc8888c", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f48ce149-c36c-51e4-98e7-702e74ad7861", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817408Z", "creation_date": "2026-03-23T11:45:31.817410Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817416Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2cef3bd693dc86b5962d66e3cdade498143a4d921fdc5d8f823732d02082cae8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f48ec029-8443-580a-81d4-d70d50fb9bb9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.817557Z", "creation_date": "2026-03-23T11:45:30.817559Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.817564Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5bf3985644308662ebfa2fbcc11fb4d3e2a0c817ad3da1a791020f8c8589ebc8", "comment": "Vulnerable Kernel Driver (aka dellbios.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f48f86bd-2651-5bd3-a0fe-73096c1c7220", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816691Z", "creation_date": "2026-03-23T11:45:30.816693Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816700Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "13ae4d9dcacba8133d8189e59d9352272e15629e6bca580c32aff9810bd96e44", "comment": "Vulnerable Kernel Driver (aka tdeio64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f493a728-d01e-5af5-a363-17b5365e619f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477083Z", "creation_date": "2026-03-23T11:45:30.477087Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477096Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b9ad7199c00d477ebbc15f2dcf78a6ba60c2670dad0ef0994cebccb19111f890", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f49f5a34-37b6-52f6-8abe-db95642d8fa2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619490Z", "creation_date": "2026-03-23T11:45:29.619492Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619498Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "65329dad28e92f4bcc64de15c552b6ef424494028b18875b7dba840053bc0cdd", "comment": "Insyde Software dangerous update tool (aka segwindrvx64.sys) [https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Program%3AWin32%2FVulnInsydeDriver.A&threatid=258247] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f4b57b4c-b90b-5bde-86d4-5ed488cc65ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824294Z", "creation_date": "2026-03-23T11:45:30.824296Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824301Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d320bae0560a5c14f2b4998930a582a3db9131105c51be8780f3e42eb9c830d6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f4c7a4f7-1b43-5f8f-9012-284fda08822a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.458779Z", "creation_date": "2026-03-23T11:45:30.458782Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.458791Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0174cea1dd70b374f355126ae6be650dff95897d8c8200caac91d4f9e5e5b871", "comment": "Vulnerable Kernel Driver (aka nscm.sys) [https://www.loldrivers.io/drivers/351ff5ca-f07b-4eb6-9300-d5d31514defb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f4cb2b6b-efa6-5a95-879d-2183c359003f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620833Z", "creation_date": "2026-03-23T11:45:29.620835Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620840Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e61a54f6d3869b43c4eceac3016df73df67cce03878c5a6167166601c5d3f028", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f4cbc1c4-729b-5359-a5be-96d316da0087", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821699Z", "creation_date": "2026-03-23T11:45:30.821702Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821711Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "348dc502ac57d7362c7f222e656c52e630c90bef92217a3bd20e49193b5a69f1", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f4de6c0a-c86a-546b-9ed0-595abeb61343", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825405Z", "creation_date": "2026-03-23T11:45:31.825407Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825412Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bd6e242ea118af2d1a089ee4013e0b18e62de477d610e47b4aaa551bc708cca4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f4e600c5-1431-529c-b5c4-72d5b039ece6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.494656Z", "creation_date": "2026-03-23T11:45:31.494658Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.494663Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6e397c79b7e6ccd146aaca3aed2289677f546176f107dc8d529e6761e58b20bc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f4eb7494-4c1f-5aa0-93d4-90d1e2422916", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968022Z", "creation_date": "2026-03-23T11:45:29.968024Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968030Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7da5e6b6212c03d4d862795d05aace1a06db4943489cb639b9ca9a88563c9d0f", "comment": "Projector Rootkit malicious drivers (aka KB_VRX_deviced.sys) [https://twitter.com/struppigel/status/1551503748601729025] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f4ef332a-7e97-515a-8669-4fc2e214fb22", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811081Z", "creation_date": "2026-03-23T11:45:31.811083Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811088Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "481dc99c83a17b4afeb99597f8aa8c7b61756b3b848c3624741869410d5c9266", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f4f71a07-890a-5891-8f59-021885c9402c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479238Z", "creation_date": "2026-03-23T11:45:31.479242Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479252Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ffb536b3fba7aecb5be8b9211a6899e4b3f4cf592d7a8aa0ce7e72f6c95b0f76", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f4f86dc3-3077-5974-81b8-0b95e1367f06", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154960Z", "creation_date": "2026-03-23T11:45:31.154962Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154968Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d44a12e97d1c9280e460b7172a436f5a72ccd65d9b36b99abf523c1a1f7a3034", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f50dae47-3ead-523b-b8ff-b1cc6af7410c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473659Z", "creation_date": "2026-03-23T11:45:30.473663Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473671Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e618c3484111ea363a1ecd2c5f5d4abab13f2f474c870bfa5f6edb98df66f4cc", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f5138adc-1798-5a29-a557-c6bd1e9be4fa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619507Z", "creation_date": "2026-03-23T11:45:29.619509Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619514Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5daf5fcf2e234f21d487a696f49410901b417162337052c657fb5fcaffcb771c", "comment": "Insyde Software dangerous update tool (aka segwindrvx64.sys) [https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Program%3AWin32%2FVulnInsydeDriver.A&threatid=258247] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f51b4e69-78d0-5ec3-8de6-43be2cdbf4d9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827603Z", "creation_date": "2026-03-23T11:45:31.827605Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827610Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "29a08f4404060bfe949ba170bd14ecfe63ea36d6c1b95626c4feebd031bbcd9f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f52c0a36-b73b-519c-99ad-a24aa9c8f1d1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820777Z", "creation_date": "2026-03-23T11:45:31.820780Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820789Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e308f38ebb979e8a4608476c3d081e4410f657e7b031fe7103650a59f58e1208", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f53bb847-fb15-594f-969c-495cfb249ddd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817133Z", "creation_date": "2026-03-23T11:45:31.817135Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817141Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "801cb16225aaf3bebff46eaf5d9b0158ee0d1ccc4534dc6220b9cc18986a0c5b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f541314b-82e6-57c3-8e22-719892582cea", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477318Z", "creation_date": "2026-03-23T11:45:30.477322Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477331Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7048d90ed4c83ad52eb9c677f615627b32815066e34230c3b407ebb01279bae6", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f5423fa1-87e0-574f-ad5c-ef249230edab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832642Z", "creation_date": "2026-03-23T11:45:30.832644Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832649Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6f5ff9939a42d48ce8c6eacd51fc62609b735e2b7a052df3e696051074348577", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f552cbf3-2637-54c5-9866-f240df35cda1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154149Z", "creation_date": "2026-03-23T11:45:31.154152Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154158Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6f979e48c56cc6358b21b467012c19aa0e4c32134a5fe964158cb69caf4cd8d8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f564c890-13d8-5d82-8fe1-0ee953d2687f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479439Z", "creation_date": "2026-03-23T11:45:30.479441Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479447Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0452a6e8f00bae0b79335c1799a26b2b77d603451f2e6cc3b137ad91996d4dec", "comment": "Vulnerable Kernel Driver (aka segwindrvx64.sys) [https://www.loldrivers.io/drivers/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f5674847-1ece-5c90-8da5-be6e995a22c1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972703Z", "creation_date": "2026-03-23T11:45:29.972705Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972711Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9f86fc8a6eaa3b38f33be4a0d552c184e575afa50a60df7383c06a394e3926d8", "comment": "TG Soft vulnerable driver (aka viragt.sys and viragt64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f579ee1f-f584-5ac3-b4cf-e3ce74f94c12", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974017Z", "creation_date": "2026-03-23T11:45:29.974019Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974024Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dbc604b4e01362a3e51357af4a87686834fe913852a4e0a8c0d4c1a0f7d076ed", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f57af528-7d70-5074-9b6a-77947d9636ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.142556Z", "creation_date": "2026-03-23T11:45:32.142573Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.142586Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b3c9af8c4be8f62d25b955f92d2a4e9ebd34f7fa787580454ef54241102e7b30", "comment": "Vulnerable Rentdrv2 Driver (aka rentdrv2_x32.sys and rentdrv_x64.sys) [https://github.com/keowu/BadRentdrv2, https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f580852a-12f0-5cc7-a76c-90b7f670e29a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490893Z", "creation_date": "2026-03-23T11:45:31.490897Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490905Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e6a1562b6f7385619258db40f1cf4593d1025cf97401462000840acd3c32ad16", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f5876ff0-5366-544d-bc29-3cfb047613e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454821Z", "creation_date": "2026-03-23T11:45:30.454824Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454832Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5195443274ee3a382e947f03fd409437730434c2af0c1bb1c99f5ba1953f989e", "comment": "Vulnerable Kernel Driver (aka mhyprotrpg.Sys) [https://www.loldrivers.io/drivers/ebdde780-e142-44e7-a998-504c516f4695/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f590dc70-3db6-5651-b9ee-4bfa323dd917", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456161Z", "creation_date": "2026-03-23T11:45:30.456164Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456174Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cac6f11d37bf2438a7f07053bbe692bb135bc06c245b56e8411e3bd906e15f98", "comment": "Vulnerable Kernel Driver (aka fd3b7234419fafc9bdd533f48896ed73_b816c5cd.sys) [https://www.loldrivers.io/drivers/c7f76931-e24c-4d94-9e1f-5a083da581b4/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f5910f1a-42e1-5198-b510-8ae37cf1ba3b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.455759Z", "creation_date": "2026-03-23T11:45:30.455762Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.455771Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1b17d12076d047e74d15e6e51e10497ad49419bec7fbe93386c57d3efbaadc0b", "comment": "Vulnerable Kernel Driver (aka HWiNFO32.SYS) [https://www.loldrivers.io/drivers/2225128d-a23f-434a-aaee-69a88ea64fbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f5916de2-3783-5006-9926-459c90f6bb4b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472590Z", "creation_date": "2026-03-23T11:45:30.472593Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472603Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0f6cd34717d0cea5ab394b39a9de3a479ca472a071540a595117219d9a61a44", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f5918195-7664-5e6e-b0c9-2699a1ba478f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481295Z", "creation_date": "2026-03-23T11:45:31.481298Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481308Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ec46f787b37654072b52fbc17d46607d1f14c8b4a25552a1bff8e10eb89c1a80", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f595ae79-3203-57fb-bf81-27fc77f86e8d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493901Z", "creation_date": "2026-03-23T11:45:31.493905Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493914Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b79dd4c9467d0d07b6a19a7768e5f9ded0778550b5f0f014a80ae44e67e0fdd3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f597f5f1-8407-5a49-9aa1-f201e884d881", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822979Z", "creation_date": "2026-03-23T11:45:31.822982Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822992Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "950cbe3e38dfad78a935486807a8dbf85c77b8d0a792c994262591442c6ea6d1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f59c15cf-1a92-5afc-b5f5-7045c01fefbd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471860Z", "creation_date": "2026-03-23T11:45:30.471863Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471895Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f7e0cca8ad9ea1e34fa1a5e0533a746b2fa0988ba56b01542bc43841e463b686", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f5aa971a-891d-51e5-bbf0-c16ac657fe77", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146894Z", "creation_date": "2026-03-23T11:45:31.146896Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146901Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8f4198e14658e61eb7d1fbfa145b931e3fa03fc6b14163334eb4f7b778878e94", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f5ac64eb-5984-5256-b980-4537596fce6c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474302Z", "creation_date": "2026-03-23T11:45:30.474305Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474314Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4d29b1c2fff1a67d911229f36570e3d9b1cab0397d2cbc858b665403f1add3a3", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f5b92a6e-367d-55d7-83b2-7458c68749ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490592Z", "creation_date": "2026-03-23T11:45:31.490594Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490599Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "63ed062dec8512b5aba5d56efa1dc143eefcce2fbcf01216f81a4391f68cbfaa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f5cf39cc-5fb6-5de5-8a4b-8b753ff26166", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.817391Z", "creation_date": "2026-03-23T11:45:31.817393Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.817399Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "05192e72245e1e5c83e5ae4a16d99322dc108ffc0efa646d01aac9ba372e1c66", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f5d0f6c2-5215-531f-93f9-8ad988c3cf4f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829536Z", "creation_date": "2026-03-23T11:45:30.829538Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829544Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e998bb646c9bb81595fd6a221962afd563f3be775ede6fe436be1a51de2f5bb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f5da464e-1382-5a3e-8b64-3df9fa52e0b0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.820930Z", "creation_date": "2026-03-23T11:45:31.820933Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.820942Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6ce761d6203906d8a79f26c08f04228088c3668b015fd8da5083f60a0266cd28", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f5dace71-146f-5f80-9f12-43281bcfdfcd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456508Z", "creation_date": "2026-03-23T11:45:30.456512Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456521Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b6ae324b84a4632cf690dd565954d64b205104fc3fa42181612c3f5b830579c6", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f5e163df-6d31-577e-a3ac-14cd99442c61", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978230Z", "creation_date": "2026-03-23T11:45:29.978232Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978238Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "be03e9541f56ac6ed1e81407dcd7cc85c0ffc538c3c2c2c8a9c747edbcf13100", "comment": "Vulnerable Kernel Driver (aka t7.sys) [https://www.loldrivers.io/drivers/7196366e-04f0-4aaf-9184-ed0a0d21a75f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f5f0275a-6857-543f-a784-42f11c8cf995", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617306Z", "creation_date": "2026-03-23T11:45:29.617308Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617313Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "11a9787831ac4f0657aeb5e7019c23acc39d8833faf28f85bd10d7590ea4cc5f", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f5f81cb0-2159-57cd-a250-90417a5af573", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479793Z", "creation_date": "2026-03-23T11:45:30.479795Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479800Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "54488a8c7da53222f25b6ed74b0dedc55d00f5fa80f4eaf6daac28f7c3528876", "comment": "Vulnerable Kernel Driver (aka capcom.sys) [https://www.loldrivers.io/drivers/b51c441a-12c7-407d-9517-559cc0030cf6/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f5fb0534-bc4a-5b50-a5fa-e64e112205b5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481568Z", "creation_date": "2026-03-23T11:45:30.481570Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481575Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3670ccd9515d529bb31751fcd613066348057741adeaf0bffd1b9a54eb8baa76", "comment": "Vulnerable Kernel Driver (aka rtif.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f61acce1-deae-5ee1-a46d-088e0778ae3a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826354Z", "creation_date": "2026-03-23T11:45:30.826356Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826361Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aaa308b8f8d30f3b0ed1cfcd50206c96f39a221f011d28825c040a685afa1de3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f6230874-44fe-5505-bacd-c34c4c0638f1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613546Z", "creation_date": "2026-03-23T11:45:29.613548Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613553Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e6a2ac52a35d470dc336bae5c48a2ebf2d80519bfd57b703da6ce00ddd12163a", "comment": "ASRock vulnerable drivers - Privilege Escalation (aka AsrDrv10X.sys) [CVE-2018-10709] [https://www.exploit-db.com/exploits/45716] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f6275e98-2d79-54d6-88d9-c83f42b79d0a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985233Z", "creation_date": "2026-03-23T11:45:29.985235Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985241Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "28e09bec08688b00af1e247fa58ee4e55f2b73a06709fe37df7120a2ebee9a9f", "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f635bd39-1900-58c2-b36d-35a480ee3bf1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.483212Z", "creation_date": "2026-03-23T11:45:31.483216Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.483226Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2e27a032f1e93ec648cd90136dc3a218bfae19fb5750f17c7a64f95680be44ae", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f65028c4-dea3-590d-be78-3c16ef764c6e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810047Z", "creation_date": "2026-03-23T11:45:31.810049Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810057Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "eadb4af39567771fec339b58c3c5d1f4aa652443cb3f1915314fafdb6d80de30", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f650d985-4e93-54c2-9fd1-21b9aa5e9723", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616204Z", "creation_date": "2026-03-23T11:45:29.616206Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616211Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bddf1750dc00725c1384b34740e798b4f5f70218ab71ac62a5a96773b377df5a", "comment": "Phoenix Tech. vulnerable BIOS update tool (aka PhlashNT.sys and WinFlash64.sys) [https://www.loldrivers.io/drivers/be3e49ea-095e-4fdb-9529-f4c2dbb9a9fc/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f656fa1f-65e0-5d26-9892-dd0a78b62b98", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476900Z", "creation_date": "2026-03-23T11:45:31.476904Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476914Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3bb6c306e7f1d806ddf24e07507e4ecb3594f94010da3fc11fa438ffc51b5620", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f659437c-a3ae-5d80-ad9c-4f96f6f7ef12", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468346Z", "creation_date": "2026-03-23T11:45:30.468349Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468359Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c9cba07502b8a10034ddf75b35f4d6f2a24862cde5bff300720f5df04d4cfe6b", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f65f32bc-46a9-5624-a812-97985cc42806", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610280Z", "creation_date": "2026-03-23T11:45:29.610282Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610290Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1ee59eb28688e73d10838c66e0d8e011c8df45b6b43a4ac5d0b75795ca3eb512", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f66e9787-2669-5c7b-9a98-15ec7ac77b03", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829465Z", "creation_date": "2026-03-23T11:45:30.829467Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829473Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ad5684e36e6fabe7abdd6dba1a09f8e2dce00634c6e7c8adb71b49bed95ae354", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f6731b03-4a6f-544b-8b97-d740e0bb841f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156362Z", "creation_date": "2026-03-23T11:45:31.156364Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156370Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "03dc780cb03df809eb88ba478dd65a48ecbc887963fca4c7bb7325d7677d0bfe", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f68ec9d1-ef90-5d1e-9e35-b0baa19049a7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454095Z", "creation_date": "2026-03-23T11:45:30.454099Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454107Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1284a1462a5270833ec7719f768cdb381e7d0a9c475041f9f3c74fa8eea83590", "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/bc5e020a-ecff-43c8-b57b-ee17b5f65b21/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f69b839e-1787-523f-8eaa-1eba964966d6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809729Z", "creation_date": "2026-03-23T11:45:31.809733Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809741Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9a9ca3709a5e9711846effbabb2b19b74d6827ebf109084335583bd75b7741ca", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f69da92f-08aa-55b1-b9e6-ceeffb2e4235", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.472245Z", "creation_date": "2026-03-23T11:45:30.472248Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.472257Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b7aa4c17afdaff1603ef9b5cc8981bed535555f8185b59d5ae13f342f27ca6c5", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f6a23057-5ea4-5c10-a089-6608586baad3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468953Z", "creation_date": "2026-03-23T11:45:30.468957Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468967Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "34d57107b592c4d2c7d1c95eea1ab7400c09d23864c3870ca3656b5ae81859aa", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f6a7b786-1cb2-5abd-b3b3-102a9ea0e606", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466014Z", "creation_date": "2026-03-23T11:45:30.466017Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466026Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dfc80e0d468a2c115a902aa332a97e3d279b1fc3d32083e8cf9a4aadf3f54ad1", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f6ac5bf5-66f3-5b05-bb1e-64a62fbab86f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967475Z", "creation_date": "2026-03-23T11:45:29.967477Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967483Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bff9b75ae2eea49a765f79d9c67c997edb6c67a2cc720c6187dd2f67980acab7", "comment": "Retliften malicious signed drivers (aka netfilter.sys) [https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f6ad554f-bb77-5ec5-97f2-0ca898257868", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145525Z", "creation_date": "2026-03-23T11:45:32.145527Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145534Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "95ca14e045618fb38834d17c5cc176162a29d846c1463b840c9129fb9af47c68", "comment": "Vulnerable Kernel Driver (aka szkg64.sys) [https://www.loldrivers.io/drivers/375e8de3-aae4-488d-8273-66744978b45f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f6af791f-ac9a-51ec-a7bb-215c31454cfa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605770Z", "creation_date": "2026-03-23T11:45:29.605772Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605778Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b3a99e3184b73011f565210e169df27545aacf63e10ceb3c5e35602a698877f5", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f6b52d01-97e2-5a5e-bcd3-eefc46cef81e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155787Z", "creation_date": "2026-03-23T11:45:31.155789Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155795Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "373d50fcb66000374b9b6b0044e3a456ef2d2acfd4748fa55d00fa71be814493", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f6bcb6f6-8875-5727-bbf5-69c98ac0459d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157402Z", "creation_date": "2026-03-23T11:45:31.157408Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157418Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d6ac74e0b2bdcdd56538498b01483b2ab2e724d82bebe095ff0ca57c51e3b14d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f6bee408-bfbc-552a-9b4e-1c39a2715e9d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480940Z", "creation_date": "2026-03-23T11:45:31.480944Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480961Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9a56b25010995e6bd244bdf59ded80a62986701a1dbf91142148cb41038c7bcf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f6c97a80-1704-5e68-9f14-875e260c4a8b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.485547Z", "creation_date": "2026-03-23T11:45:31.485550Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.485560Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f641ac8749a0fa9c116f61f98061732416665dd6f5899ef3bbd0715a078e3d77", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f6d8ee60-e5df-555a-968a-e09f9845202b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.823130Z", "creation_date": "2026-03-23T11:45:31.823133Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.823141Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8ceb24d0060383f34f6ef3a105df078b357e4119b3ff3739b33add0a2dcaad79", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f6eb5188-1546-5914-873a-7aa767b10724", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609429Z", "creation_date": "2026-03-23T11:45:29.609431Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609436Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b213524b22aadcc273142c4b8afc2a6219d6b8b7cab4b41adf9944efb8f46005", "comment": "Gigabyte vulnerable driver (aka gdrv.sys) [CVE-2018-19320] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f6f33bfb-fc9e-51ce-a6da-dc0ddedec0c9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979726Z", "creation_date": "2026-03-23T11:45:29.979728Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979733Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "40e0be2ed5d07d5ecf14232fe64a95c7ad6fd942a60b4a6e21fda69c75bbb78d", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f6f3ed1b-b4c6-54ae-bd06-8a5238967a14", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470843Z", "creation_date": "2026-03-23T11:45:30.470847Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470856Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "07f962d8b90f359cf12faa55772d0ef05237ac2fbb2ff7d5cff700df93643e65", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f6fc5e61-96df-568d-bd08-5b457de13679", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608670Z", "creation_date": "2026-03-23T11:45:29.608672Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608678Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f8a7f08a0e8cdd52a35ad54a576dec8c1cd6a1ded6c28422f2e70ae8e8107fbb", "comment": "VirtualBox VBoxDrv vulnerable driver (aka VBoxDrv.sys) [CVE-2008-3431] [https://www.loldrivers.io/drivers/79542852-3a0c-43bc-bfa3-3eeb0e1d7fd2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f6fe166b-04c4-5903-9bee-218f5182072f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807605Z", "creation_date": "2026-03-23T11:45:31.807607Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807613Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b7dcaf3a048710fe192179f551090eb4c216b0fab5c208996e72baefcc2451e2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f700e3e0-2914-56e7-b9fe-55f1305e9f8e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159403Z", "creation_date": "2026-03-23T11:45:31.159405Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159410Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c6456b92b1f3dca09c62ce5e9e70d1b8cf82e426f5033b2cba384f6efd710a77", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f706fdea-0c4a-50a8-aa0d-079a6f84e16b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156143Z", "creation_date": "2026-03-23T11:45:31.156145Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156150Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "85db85f799171057ff4d736e68737b8a464da14c18f4d31e26c43051c3e67de1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f70920ea-9123-54a4-ae2b-900d951734b1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473987Z", "creation_date": "2026-03-23T11:45:31.473992Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474002Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bf960262b1ce57f1eaec06bde3c8d33425e6924b58e71d20634d5b74193a2c46", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f7111408-3afd-5b15-90ea-2af16d4e75cc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.142766Z", "creation_date": "2026-03-23T11:45:32.142768Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.142777Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a32806139db1f02442679cc20c0ca4d30f91c6a42c6205d347cbc374779900d2", "comment": "Vulnerable VirIT Agent System Driver (aka viragt64.sys) [https://www.trendmicro.com/en_no/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f71e4d97-1a98-554b-9e59-cb89c0bf25e5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968308Z", "creation_date": "2026-03-23T11:45:29.968311Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968321Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "865e4bc7290fc3b380e266ccd98c2d4e965beb711d7efd090d052e8326accdd2", "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f7284bbd-6c40-5340-8a96-29300f7f912e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816673Z", "creation_date": "2026-03-23T11:45:30.816675Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816680Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4eebf3fc1a508fe0e54c061a211c44a3df641707adab16ff839187759e8d2a61", "comment": "Vulnerable Kernel Driver (aka avalueio.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f72dac8e-789e-56ee-87ec-8a90a2a7b6b5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613048Z", "creation_date": "2026-03-23T11:45:29.613049Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613055Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "03a831e18d933954d432187835e0d6aea8bf10fd84dfbe36a23366e2b0538a11", "comment": "Hilscher cifX Device Driver abuse (aka Physmem.sys) [https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f7352208-6d17-5fb8-87b2-1e9c6578d4d3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.981629Z", "creation_date": "2026-03-23T11:45:29.981637Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.981651Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "760be95d4c04b10df89a78414facf91c0961020e80561eee6e2cb94b43b76510", "comment": "Vulnerable Kernel Driver (aka NetFlt.sys) [https://www.loldrivers.io/drivers/30d6c39c-1d93-4101-8dd3-322ff0ab7fb3/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f73a9795-7691-5323-8088-e99e9b7ecce5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611909Z", "creation_date": "2026-03-23T11:45:29.611911Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611916Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6e76764d750ebd835aa4bb055830d278df530303585614c1dc743f8d5adf97d7", "comment": "Genshin Impact vulnerable driver (aka mhyprotX.sys) [https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f73ef725-3459-5424-a40e-114532b5980d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816209Z", "creation_date": "2026-03-23T11:45:30.816211Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816217Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "85fdd255c5d7add25fd7cd502221387a5e11f02144753890218dd31a8333a1a3", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f73fda1c-1882-549b-93da-f893fa6ff5ca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.816215Z", "creation_date": "2026-03-23T11:45:31.816218Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.816226Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "80c662a564bec8719db16eabcc3f601e3fbc6280d6682eccfed090a83300eb01", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f7467f8c-b98e-55eb-a79f-b3ac5afbe25a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609369Z", "creation_date": "2026-03-23T11:45:29.609373Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609380Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9c0e80958b907c8df345ec2f8d711acefb4951ee3e6e84892ecd429f5e1f3acb", "comment": "Vulnerable Kernel Driver (aka gdrv.sys) [https://www.loldrivers.io/drivers/2bea1bca-753c-4f09-bc9f-566ab0193f4a/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f7469e7e-8004-5ef3-9144-c602f95efa0c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833699Z", "creation_date": "2026-03-23T11:45:30.833702Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833711Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d41b6cbf58215cc6d6a0d452937aa0dd9ba73140f0ab1daa7a6f29afd4d6b4cf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f74aa327-46cd-5889-bb2e-208ec759a77b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473542Z", "creation_date": "2026-03-23T11:45:31.473546Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473556Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0c985671e0517054bb6fdf676c2e65a2bd0d5101564250268f7de5e716f4b81a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f74c1d60-a834-5c48-8329-3b73512e7c57", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828489Z", "creation_date": "2026-03-23T11:45:30.828491Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828497Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5cd5b884ead3c1485bace633184e9c660d97f2d1e676c1ced82d5cfe33b3c213", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f7568d63-797c-5fe4-9037-12ebd43f6f46", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814123Z", "creation_date": "2026-03-23T11:45:31.814127Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814134Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "43c7147cb0998ef5ac62caf6996fabf9ab0ea0a465c85afd7fc744e8f8386f6a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f766690b-c9e3-556e-9f77-62129427bfb2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497856Z", "creation_date": "2026-03-23T11:45:31.497858Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497863Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "227ef6cf7a61cb7b8565ba6581a619d79030a45c4bec699867a502e2677dbe30", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f777be10-23b0-50ef-bbb1-4bd4c0f5128c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465738Z", "creation_date": "2026-03-23T11:45:30.465741Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465750Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1ef7afea0cf2ef246ade6606ef8b7195de9cd7a3cd7570bff90ba1e2422276f6", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f77c70f9-03fd-51d9-a7a4-7ff6d67dc19b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153015Z", "creation_date": "2026-03-23T11:45:31.153018Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153026Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8f0e38e7cad0e0226e2ce25db1dda0fbfe0628222a382a19d5d712005bca4bef", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f781b720-3f52-5d04-ba84-fc30e648b03d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610083Z", "creation_date": "2026-03-23T11:45:29.610089Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610094Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1f4d4db4abe26e765a33afb2501ac134d14cadeaa74ae8a0fae420e4ecf58e0c", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f782cccb-39d8-5245-95f0-2707bfefb998", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826882Z", "creation_date": "2026-03-23T11:45:30.826885Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826890Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0bf6291bee1862214a4c2948479e6e2c9c09d7d103e9e5ca35eea5726b789e07", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f789a629-0ca7-539f-8b19-d7ef41f7e966", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.476997Z", "creation_date": "2026-03-23T11:45:30.477000Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477009Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e03d8492926408a299100ef02c46bf3510a816bd9eed2f988b47c066049e9111", "comment": "Vulnerable Kernel Driver (aka libnicm.sys) [https://www.loldrivers.io/drivers/2b949a0d-939f-456a-a34f-4589d7712227/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f7907a3e-4c74-52d4-b156-9c3d75463fa0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492338Z", "creation_date": "2026-03-23T11:45:31.492340Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492345Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "42527d104eac6fb21d4cb6f7f1a8d10601044127de67ac5a8832ef0266fe367b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f791b45a-b7d3-5fcb-8223-47f0f5ccdd50", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462820Z", "creation_date": "2026-03-23T11:45:30.462823Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462832Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4bd4715d2a7af627da11513e32fab925c872babebdb7ff5675a75815fbf95021", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f79928f0-a5ab-562f-8d13-447fed687fb6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825854Z", "creation_date": "2026-03-23T11:45:31.825856Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825861Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d56c12e9ced5e3fe9902156bf265aaef933b206828f4fe72be7b675806c637fd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f7aa33e5-d64d-5aa1-a58d-3fbed87cecbd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498865Z", "creation_date": "2026-03-23T11:45:31.498885Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498895Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b4ef60abd1adf6909a91cce9bb505635921b9e6e3cb8857dea192f42f70b03b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f7acc85a-de2c-56fd-8b34-d4176c9f4d70", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491795Z", "creation_date": "2026-03-23T11:45:31.491798Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491803Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea5be436504210daeae063b6ce4c17de5710dcd725dc8c798bbb6011202d6980", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f7bb5d03-3180-5b1c-a92f-f0e8c16bab94", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834297Z", "creation_date": "2026-03-23T11:45:30.834301Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834310Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e72e3d969c429cf4c55a476751eec576c0388c681ff182ff629a812753011dae", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f7bd01f5-fae7-5d4d-95ce-cf7bd36e331a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978791Z", "creation_date": "2026-03-23T11:45:29.978793Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978798Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "59b09bd69923c0b3de3239e73205b1846a5f69043546d471b259887bb141d879", "comment": "Vulnerable Kernel Driver (aka procexp152.sys) [https://www.loldrivers.io/drivers/0567c6c4-282f-406f-9369-7f876b899c25/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f7c5c863-a9fb-59ba-993d-67435828a444", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160474Z", "creation_date": "2026-03-23T11:45:31.160475Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160481Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d13feffd9425aa1bf1cb196dd887e20f1dc46ef865584b5104595e77e71ff5c5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f7dcf992-df20-5f88-9bd7-3f6c369d2abf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606978Z", "creation_date": "2026-03-23T11:45:29.606980Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606985Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "76adb3fa346058e95ba3fd549fd48a15adaf4920a3109391f52053ebf39e62cc", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f7e088a2-9d52-5c42-98b4-d5beef625660", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983667Z", "creation_date": "2026-03-23T11:45:29.983670Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983675Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e4dbc382c21b4b14b54d37b2fd86e12a7637f177ba4170e19ffde3584ec48e6c", "comment": "Vulnerable Kernel Driver (aka amigendrv64.sys) [https://www.loldrivers.io/drivers/5c45ae9e-cb6f-4eab-a070-b0187202e080/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f7e256cb-237e-5086-8d72-f1649adf06af", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159972Z", "creation_date": "2026-03-23T11:45:31.159974Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159980Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e2268ddada0ea19902baa3b63b6912526d6217b1dd26e651208d0952439f2884", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f7e6dd6b-f24c-5070-801e-a72a8291549d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.491521Z", "creation_date": "2026-03-23T11:45:31.491524Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.491532Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee277d77ba18e32ba094970f48b1e1d295a5c5f07a9a029dff6ad171dd5becb4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f7e942f1-ba4b-5f0a-94d5-1f5cab2ceffa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.821897Z", "creation_date": "2026-03-23T11:45:30.821901Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.821909Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "de8a750317ff44704c0b03c374f5cbc37c9ef5c067a33628aa7c51a5b11db383", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f7f56acb-6216-5897-9b9c-ab710b3baa83", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828167Z", "creation_date": "2026-03-23T11:45:31.828169Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828174Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0506323a942dbf6d78bcc596fb20acdec525786636f3923e5c33178c5cf55cb0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f7f89e16-1b35-550a-bc81-f50fb0022f4a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821343Z", "creation_date": "2026-03-23T11:45:31.821346Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821354Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "feec5c399ca9bb94a0592ab773bad0132d97aeed873bcb47a0622ab53c5c81b0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f8057b07-a2ad-53c7-b92f-9e9b95f99857", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160380Z", "creation_date": "2026-03-23T11:45:31.160382Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160390Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "136e3f4cf24fef00f5b7a4d35b6970dff68e4c5af40f47c0fa0d2e36f90b5d73", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f8061f08-9589-546e-bd8e-3617d60414ae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479828Z", "creation_date": "2026-03-23T11:45:30.479830Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479835Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d9e8be11a19699903016f39f95c9c5bf1a39774ecea73670f2c3ed5385ebfe4c", "comment": "Vulnerable Kernel Driver (aka capcom.sys) [https://www.loldrivers.io/drivers/b51c441a-12c7-407d-9517-559cc0030cf6/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f80c9f39-bf9f-5c93-8902-cb4d04b3a541", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604148Z", "creation_date": "2026-03-23T11:45:29.604151Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604156Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8483c5dc2323306d4ee3685b7e90a4c11e11b01d04cb607e0bc5aad368fd3c6e", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f821a02e-72e7-5e8f-93cd-e47306221281", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974950Z", "creation_date": "2026-03-23T11:45:29.974953Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974958Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2c1b6a278ff90171a7472423a2626edcf75233aacac1bd7d1995716ef26f8dcf", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f829a8fc-6652-5c1c-9625-de753d8e5919", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833318Z", "creation_date": "2026-03-23T11:45:30.833321Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833330Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "65ba545cef6077b62d96207252ffaea4e12bb93d37e5d2c2a9725fc54fb3874f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f83880bf-eb60-5877-b11b-4f07dde5b40f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492285Z", "creation_date": "2026-03-23T11:45:31.492287Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492292Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fbd09c3feb1b5c77fd0aaaa3c43bf320a29a3230f1d8eaab4804d02d432e7822", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f83a7557-f594-583c-8346-4a481722d1af", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147622Z", "creation_date": "2026-03-23T11:45:31.147624Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147629Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fa8c60175aaf470608e4f198c57cf0f4deef6dd9558dd6d512ae3f71a347a11d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f852f38c-c0aa-548c-a7c0-df05a047debd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480967Z", "creation_date": "2026-03-23T11:45:30.480969Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480975Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4c807bacfcf5c30686e26812ec8d5581a824b82fee7434260c27c33eee2dfbe2", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f86023c0-a963-5c0d-87b1-1e54a73b4f35", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466720Z", "creation_date": "2026-03-23T11:45:30.466723Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466732Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "06ddf49ac8e06e6b83fccba1141c90ea01b65b7db592c54ffe8aa6d30a75c0b8", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f869ff1c-388e-5d6b-a145-ae2b90f72d5d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.608335Z", "creation_date": "2026-03-23T11:45:29.608336Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.608342Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3111f4d7d4fac55103453c4c8adb742def007b96b7c8ed265347df97137fbee0", "comment": "Vulnerable Kernel Driver (aka EnPortv.sys) [https://www.huntress.com/blog/encase-byovd-edr-killer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f874ec6f-7cd7-53b9-a3f5-35e7df459bbe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615913Z", "creation_date": "2026-03-23T11:45:29.615917Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615922Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c84806a49da944c20a01e7dba7721e88859a5f65ec338ddb5da3a0d6895e7268", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f878c79e-4f66-5bb6-a30d-484b22f03095", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829519Z", "creation_date": "2026-03-23T11:45:30.829521Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829526Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d128c50214a5b6c3da6c85537974ff31ef44be4bcc3cc549fb1e6986eb8bf5d2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f878d0a6-1c02-58b4-a105-3297a095e71c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.147483Z", "creation_date": "2026-03-23T11:45:31.147485Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.147490Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0923bd21d9c36c4190536db1f8adde19161988d0a66471b002fb1b4df70fae2a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f87c4d78-9e91-5c97-b5d8-7b495888c0b9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973025Z", "creation_date": "2026-03-23T11:45:29.973026Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973032Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9679758455c69877fce866267d60c39d108b495dca183954e4af869902965b3d", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f87e8c6f-d909-5ba6-bcfb-90c512429a89", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816174Z", "creation_date": "2026-03-23T11:45:30.816175Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816181Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c0c52425dd90f36d110952c665e5b644bb1092f952942c07bb4da998c9ce6e5b", "comment": "Vulnerable Kernel Driver (aka ngiodriver.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f8817a8c-2f14-5305-a925-839a0d3d0afb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.829995Z", "creation_date": "2026-03-23T11:45:31.829997Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.830003Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ec0bf9819b63141cdf8f24415648a234ac220e28fa801c330a6bc9f954ee411c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f88e348a-46c6-54b5-9941-1f945fb3429c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155575Z", "creation_date": "2026-03-23T11:45:31.155577Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155582Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4add50747f10a3e9aceba7e52b26c4af95bebdfabfa5c9b5a10ed31adb8af823", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f88f0493-5201-598b-ae0a-9ae0d9d84321", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.975394Z", "creation_date": "2026-03-23T11:45:29.975396Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.975401Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ddc5ff33a19baf1630a92723b5d0103fcc9ca58ee2a548526b9439eec3c97fe8", "comment": "Vulnerable AMD Ryzen Master Driver (aka AMDRyzenMasterDriver.sys) [CVE-2020-12928, CVE-2023-20564] [https://www.loldrivers.io/drivers/13973a71-412f-4a18-a2a6-476d3853f8de/, https://github.com/tijme/amd-ryzen-master-driver-v17-exploit, https://github.com/zeze-zeze/HITCON-2023-Demo-CVE-2023-20562] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f8933aca-9712-50c8-8158-dafe3d71bc7c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618531Z", "creation_date": "2026-03-23T11:45:29.618533Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618539Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3cee638c546efe5bd23880da9fa2b90e8dd0fd4a228fb0ad96f6c11d47a52593", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f89e0881-d4b5-58c8-ac08-863426404a29", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612439Z", "creation_date": "2026-03-23T11:45:29.612441Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612447Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ecfc52a22e4a41bf53865b0e28309411c60af34a44e31a5c53cdc8c5733e8282", "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f8ade152-b018-5723-b95e-7d67d90d09de", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.474021Z", "creation_date": "2026-03-23T11:45:31.474025Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.474035Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1cc38edb6d2a12869cef4dbee74e8316f0df610b74fe26728094188c66eaa6cc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f8af7b62-56d6-59f7-98eb-92799aefc91e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.829184Z", "creation_date": "2026-03-23T11:45:30.829186Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.829192Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "de4328d64c16df3d425ccd79c294016369784b8662a1de7891dfba556c720469", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f8b0064e-c84a-56f1-861b-74bb4798413d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617678Z", "creation_date": "2026-03-23T11:45:29.617679Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617685Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "126719d008d106b7100ae47ed47666c1334701bd7ddb32d5b8e84048f258700f", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f8cccdc4-ced6-5e08-a26d-249f38049ab3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825423Z", "creation_date": "2026-03-23T11:45:31.825425Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825430Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "920b06859bfcff7484bf2a20d876bbcf1a6d65f8c72050afa388848ad01767e5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f8ce1ea4-9aab-502e-a73e-337ec869c3ff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827525Z", "creation_date": "2026-03-23T11:45:30.827527Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827533Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c3f8afc10771d473f9188d36e035bf96df394cb381c3f18b319f69f8648750e7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f8d1c31e-cdf4-54c7-a616-4787ff155945", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.452515Z", "creation_date": "2026-03-23T11:45:30.452518Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.452526Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e42d8953f90e0b052adacd6c8e6cc240d723e5b4605ac897fe9667e661f9ed3c", "comment": "Malicious Kernel Driver (aka c94f405c5929cfcccc8ad00b42c95083.sys) [https://www.loldrivers.io/drivers/ddefecdd-9410-46d9-8957-e23aac1aba0c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f8d5b631-b174-53a1-accb-b55aaea18795", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.821926Z", "creation_date": "2026-03-23T11:45:31.821928Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.821933Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b5fdf37acbd3e79bd58b41fb62b2f280d6a6c969b218ecab4bb279299f61adfd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f8d8a329-d8e0-55a6-bdf0-f20da286c3d1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479457Z", "creation_date": "2026-03-23T11:45:30.479459Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479464Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e1d2d76829640542eabc0c96356675c0a930e4607869de8037daf62f898903b5", "comment": "Vulnerable Kernel Driver (aka segwindrvx64.sys) [https://www.loldrivers.io/drivers/a4aa80bc-4ecd-49ab-bc0f-0f49b07fdd7f/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f8e45fc2-199e-5572-8624-ec1271d6285f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968421Z", "creation_date": "2026-03-23T11:45:29.968423Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968429Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1cda1a6e33d14d5dd06344425102bf840f8149e817ecfb01c59a2190d3367024", "comment": "Ours Technology Inc. Dangerous I/O Driver (aka otipcibus64.sys) [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f8e6ff44-980c-565d-8ae3-23e7e3eec757", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.497615Z", "creation_date": "2026-03-23T11:45:31.497617Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.497623Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6aa0d21b1220237c2fb7d857edca84352fc11a8b177a33344e54c1037e064d20", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f8e914cd-392d-5ffc-928c-3423d653b97b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.480558Z", "creation_date": "2026-03-23T11:45:31.480562Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.480572Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a8ae1c8e388b120b3ac6bb84d2b3d3b032e683f79281360a2cbfbcb3107e3f96", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f8f0ca2c-dab8-5590-b2f7-8e4356626c4f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616256Z", "creation_date": "2026-03-23T11:45:29.616257Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616263Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a6ae7364fd188c10d6b5a729a7ff58a3eb11e7feb0d107d18f9133655c11fb66", "comment": "Huawei vulnerable BIOS update tool (aka Phymemx64.sys) [https://www.loldrivers.io/drivers/268e87ba-ad44-4f3c-986f-26712cac68da/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f8fe3526-971b-53c4-90d5-846568f51a6d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.970211Z", "creation_date": "2026-03-23T11:45:29.970213Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.970218Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "72f100edc998bb2fc40a3a7e7d76c6c37f7173b812f5cd7ae62c824b3fc63d57", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f9031162-1e09-5420-84da-72885ee0bd62", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463327Z", "creation_date": "2026-03-23T11:45:30.463330Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463339Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f6157e033a12520c73dcedf8e49cd42d103e5874c34d6527bb9de25a5d26e5ad", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f9042b32-c4ee-505e-bfef-95b727c438ef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468167Z", "creation_date": "2026-03-23T11:45:30.468171Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468180Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6e521e54a1e5a03abaae405b58a84758058f3fac5e8cd8a370f232c7dc7bb164", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f907231c-550b-5cd2-9a65-5a074c96c423", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481134Z", "creation_date": "2026-03-23T11:45:31.481138Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481147Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d7d5c338e4ab0b92bc80961d98a25ceb92a105f58fafda64777d70f6aa138faf", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f90a2ffd-0464-52b4-8ae3-eac317372341", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976155Z", "creation_date": "2026-03-23T11:45:29.976157Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976163Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "34e6a56c60746c51034b45a7b2a36617205b598d0bbcc695f92404605a0975d5", "comment": "Vulnerable Lenovo Diagnostics driver (aka LenovoDiagnosticsDriver.sys) [CVE-2022-3699] [https://github.com/alfarom256/CVE-2022-3699] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f916f197-de6b-5c3c-8571-905df60e549b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.476933Z", "creation_date": "2026-03-23T11:45:31.476937Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.476954Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d9733e7799bff5df15ebaa7591d406be7786924a51c819167922e0afa3fda614", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f91c6734-d1ca-59d6-b7ab-a73cb455a6ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490713Z", "creation_date": "2026-03-23T11:45:31.490715Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490721Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "318ddeb258168ecbaa379f3199089c7cb23f4c9cd498c0a383beaca109878dd9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f91e4cda-4859-5704-9f13-f638b6771aa4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827140Z", "creation_date": "2026-03-23T11:45:31.827142Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827147Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "47bfe2a7b5686f38002e3a5d5663bb74c4b0a7c280519a9b971ffd003071c07b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f92e3c8a-0275-594f-a06e-a17eeca88374", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153806Z", "creation_date": "2026-03-23T11:45:31.153808Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153814Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8481430a617ece277a9a7bf70c0c50b901c46ecb98a92e335c790c937d9bd70b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f92fa147-7d3e-5374-9d17-14819c11a38b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618006Z", "creation_date": "2026-03-23T11:45:29.618008Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618013Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4115b7a30061d11a034188c0ec7a2223f3b032c8b3420cfffabf6c4df692920d", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f9327c82-ba45-5cbb-afdf-706c0149f6fa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475618Z", "creation_date": "2026-03-23T11:45:30.475621Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475630Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bfbc382decb986b6050268e53092eae5e981cb886ccfb116ca7a0b311cef3862", "comment": "Vulnerable Kernel Driver (aka vboxguest.sys) [https://www.loldrivers.io/drivers/0baa833c-e4e1-449e-86ee-cafeb11f5fd5/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f9368f53-f4c3-559a-a3bc-7f03d37c9d9a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475330Z", "creation_date": "2026-03-23T11:45:30.475333Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475342Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f0474e76cfd36e37e32cfe5c0a9e05ddee17dd5014d7aa8817ea3634a3540a3f", "comment": "Malicious Kernel Driver (aka ef0e1725aaf0c6c972593f860531a2ea.sys) [https://www.loldrivers.io/drivers/8c2df58f-1e02-4911-ad40-3fa4ed1f4333/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f943649c-5bbb-58b4-947f-d6d4490cf361", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.493852Z", "creation_date": "2026-03-23T11:45:31.493855Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.493865Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f700eabf6cf46b012b3a0bba05fd7939d6081f686d686591c0021a064c8905a9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f947f404-365b-515a-96d2-a5069eb02091", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825681Z", "creation_date": "2026-03-23T11:45:31.825683Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825688Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "947c7bff48b740945bcee0c26f90952602c023f0226719aed5eb27011016d642", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f9538f55-df4e-501f-9f38-a1a09a117da9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142988Z", "creation_date": "2026-03-23T11:45:31.142990Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142996Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1bebafbe0c2d80ae7087bddb31e91460a94bad99b4bd4176867aee6e16cdd6bb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f9578a90-f1d3-5aa5-a194-4aac65a5ae0e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456811Z", "creation_date": "2026-03-23T11:45:30.456814Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456823Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f960fffb-8411-5135-afda-a28fcb4a353f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979463Z", "creation_date": "2026-03-23T11:45:29.979465Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979471Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f9666d23-e67b-5e2b-a5cf-b45775f81d87", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609611Z", "creation_date": "2026-03-23T11:45:29.609613Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609618Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e6056443537d4d2314dabca1b9168f1eaaf17a14eb41f6f5741b6b82b3119790", "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f96b4b19-958d-5727-b819-3e8f72508355", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.459272Z", "creation_date": "2026-03-23T11:45:30.459275Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.459284Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "639ff79f13e40d47b90ecd709699edd10e740cb41451acb95590a68b6352de2b", "comment": "Vulnerable Kernel Driver (aka netfilter2.sys) [https://www.loldrivers.io/drivers/5ad8a3b6-6d20-4c95-8fa7-9a507167ba3c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f96cdba9-6561-54a9-9025-14a729c93a1d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822019Z", "creation_date": "2026-03-23T11:45:30.822021Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822026Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a4c9fdd68c1f70df223d50d849fb83d11b1abc2256b8916e195f32360bb647ad", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f980dc73-8f9c-521c-a0ce-ac7962516c38", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822389Z", "creation_date": "2026-03-23T11:45:30.822391Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822396Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "aea066ef46a44a082e437c0fd68671ad77ee626f5864a0c2060e8fb970493635", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f997f526-472b-55f4-9e3a-405fdd9edeb4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822476Z", "creation_date": "2026-03-23T11:45:30.822478Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822485Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f025ad896e6048a329aecb506503a79bc4d2717350f2c0bb7aec8fa52d31ba93", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f9b4c0f4-bc34-5fa7-9d7a-9f1fd6480861", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146709Z", "creation_date": "2026-03-23T11:45:31.146711Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146716Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "79f4933225a3b565ec0f74a64d91319d575dd9eed6ff4868794bfa1d5e82cf51", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f9c5a377-f8ca-5879-8e9c-9dd98638ae29", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.834409Z", "creation_date": "2026-03-23T11:45:30.834412Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.834421Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "325ad9da55291b6a1ea583850bcacdb33c07176b554262cb67ba5124f1a304c3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f9e4e385-4191-5d76-b4f1-b3555fff7c1a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145224Z", "creation_date": "2026-03-23T11:45:32.145226Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145232Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a1fa7d8275ccd14a6adc438ef4b950e7de4ed26fcbe4b3e184243663b03c83d6", "comment": "Vulnerable Kernel Driver (aka RtsPer.sys) [https://www.loldrivers.io/drivers/32155681-33e8-4d0d-b9f6-c822851e7321/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "f9f0fc4f-3b9c-5ab8-956f-2efa2e1fbeff", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824079Z", "creation_date": "2026-03-23T11:45:30.824081Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824086Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a3b526d6db56c3feadf29d4b0fbd4cfa21f9775e666c50f5a0a8aea81a41854f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fa0dbbd9-0611-5ba5-a59d-12de3508900c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474797Z", "creation_date": "2026-03-23T11:45:30.474800Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474809Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6522fc68fa686a546cd98142b90e5bcbfb8b79127cfb38b9a1249996d3d102dc", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fa13a02f-465c-5ebf-be64-93c774e44dc2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819172Z", "creation_date": "2026-03-23T11:45:31.819174Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819180Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bcb0af2a4110eed3b300569c081426799f44d20ede6db745f2014e887c9bf494", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fa1da3f5-b8a6-5d23-b9b5-d96c39be1878", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466580Z", "creation_date": "2026-03-23T11:45:30.466583Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466592Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4999541c47abd4a7f2a002c180ae8d31c19804ce538b85870b8db53d3652862b", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fa26f938-10f4-5567-9516-2c556f033706", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983104Z", "creation_date": "2026-03-23T11:45:29.983106Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983111Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1", "comment": "Malicious Kernel Driver (aka wantd_3.sys) [https://www.loldrivers.io/drivers/a22104a8-126d-449f-ba3e-28678c60c587/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fa29acc7-bd3b-5a57-87be-debe5cc9f3d4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.613701Z", "creation_date": "2026-03-23T11:45:29.613703Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.613708Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "552f70374715e70c4ade591d65177be2539ec60f751223680dfaccb9e0be0ed9", "comment": "BioStar Microtech drivers vulnerable to kernel memory mapping function (aka BSMEMx64.sys, BSMIXP64.sys, BSMIx64.sys, BS_Flash64.sys, BS_HWMIO64_W10.sys, BS_HWMIo64.sys and BS_I2c64.sys) [https://www.loldrivers.io/drivers/9e87b6b0-00ed-4259-bcd7-05e2c924d58c/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fa2c8db6-40a5-54a9-b387-0358d2de1dc6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979429Z", "creation_date": "2026-03-23T11:45:29.979431Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979436Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fa36969f-32d9-5a42-bc76-c9b04b85d871", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.453372Z", "creation_date": "2026-03-23T11:45:30.453376Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.453385Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "714d8791e37373f92f0242a6694cc232686caab69d7ae64b5ed31094cc352893", "comment": "Vulnerable Kernel Driver (aka nicm.sys) [https://www.loldrivers.io/drivers/86cff0de-2536-4b8d-a846-a7312c569597/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fa38521f-fe82-5d6b-ac97-5773591e7eba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835647Z", "creation_date": "2026-03-23T11:45:30.835649Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835655Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8fe64d42542f5546eb8c0a5e1da77ff237585d855344a8f63293ab86d1d56fc0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fa4428fb-3305-572e-bce5-8006479d5538", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.484848Z", "creation_date": "2026-03-23T11:45:31.484852Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.484863Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "356250aa436af02d651c84ba93f674f094e8a98563f58e39fd78cdbdf0e86353", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fa55fdb2-091a-5f8d-b9a2-a20744e4f7f3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825971Z", "creation_date": "2026-03-23T11:45:31.825973Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825979Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "37527e11e7c25b8b0390a22bfecff2919f261c780e631739ef6acbe9085b674d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fa6574f1-01ca-5ca6-bf2f-44973a4a5dba", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832058Z", "creation_date": "2026-03-23T11:45:30.832060Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832066Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "679c486ab26be098b8cd8bbc2b604eb94eebbb0265f79ccd91fa4d968b406d3e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fa733f42-6a87-5377-86e2-3da723ba4cfc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151810Z", "creation_date": "2026-03-23T11:45:31.151814Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151823Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "90044e79b27d7e5f9afac7f8d5025ad695bdda4f4a9023d2883a02f2c17b13f2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fa79fb52-7836-5ad5-93ed-2e26ce2eeb32", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605926Z", "creation_date": "2026-03-23T11:45:29.605928Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605934Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bced04bdefad6a08c763265d6993f07aa2feb57d33ed057f162a947cf0e6668f", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fa8815db-5e3d-5372-9faf-655f2c9331d3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974696Z", "creation_date": "2026-03-23T11:45:29.974698Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974703Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "92bb92314ad69e9d118df55924ddab76b983029f1eae7739bbb098c6bea86ca1", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fa8a7006-79c8-56b4-8261-70af7dd4c359", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617575Z", "creation_date": "2026-03-23T11:45:29.617577Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617582Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "73a0ccf3e32c262142bde91c19f5b1f395878783f157c6bed5874ede5a3afddd", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fa9503ed-995a-5d9c-b512-0e12d74f46ab", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967117Z", "creation_date": "2026-03-23T11:45:29.967121Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967130Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f5c267770f18d720313eedc7ff363989b04b21394e7c0179088d74b4d0fb2630", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fa975892-b079-51dd-ac70-ce2ca2c1e022", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826962Z", "creation_date": "2026-03-23T11:45:30.826964Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826970Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "46257866237fe03e590247dc39daa60635c136eaab3e2c941944ff3348f17cfa", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "faba1390-bece-5496-bb6a-29630672dca3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486167Z", "creation_date": "2026-03-23T11:45:31.486171Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486181Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "244cf5603ec4960b86137f9bd58877b890871a961061b1160ddfddead099170f", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fabaf23a-9cdc-5bde-8574-0a22fd6295e2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143881Z", "creation_date": "2026-03-23T11:45:32.143883Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143889Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ebf6be42d39fd5d9361afa43479f883ff8eba97d72f313ece289f78cb51c22f2", "comment": "Vulnerable Kernel Driver (aka Afd.sys) [https://www.loldrivers.io/drivers/394f49b2-2d78-4d0d-b374-1399695455f3/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fabdc89c-665b-564b-81fc-bb3d16021c83", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826813Z", "creation_date": "2026-03-23T11:45:31.826815Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826820Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "806a9d7578501708a51b0ba5dbd983213dc0dd9ef3818e7b4df2ce520f66dc0c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fabdecc6-6e04-559b-870a-ca18a1b5183d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979585Z", "creation_date": "2026-03-23T11:45:29.979587Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979592Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6ee267fc3d0ac2662a9cfdb0ed5a2354ee09ef4c218303f20350177cae125cf7", "comment": "Malicious Kernel Driver (aka windbg.sys) [https://www.loldrivers.io/drivers/da7314dc-6cf1-4d74-a0d1-796fc08944f8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fac04190-ac64-54a0-9a24-55afd3585784", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826848Z", "creation_date": "2026-03-23T11:45:31.826850Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826856Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5da0f06fdf2f531ce5caac5ea77238fe13fbc3d8bada7bbb36fc1eaa07799a32", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fac2f9c1-1536-51fa-aef8-0d00befff49a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499511Z", "creation_date": "2026-03-23T11:45:31.499514Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499523Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "544347a5b7c60b9a501f02b06e51a3c0bc7664b1fe19e85195aa4f0c79d852a9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "faccc13c-b498-578e-8a69-622adab7e1bf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978032Z", "creation_date": "2026-03-23T11:45:29.978034Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978039Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0ebaef662b14410c198395b13347e1d175334ec67919709ad37d65eba013adff", "comment": "Vulnerable Kernel Driver (aka bw.sys) [https://www.loldrivers.io/drivers/578d4909-c2ba-4363-b6e3-98fb62d5e55c/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fad2a4e0-97c0-5144-9722-951def34f0e6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479740Z", "creation_date": "2026-03-23T11:45:30.479742Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479747Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4e5cdf9d41843ecf7f9e252b706a0c5ca89ce288a4944ee70dd43fcc06965a8f", "comment": "Malicious Kernel Driver (aka a9df5964635ef8bd567ae487c3d214c4.sys) [https://www.loldrivers.io/drivers/ac62e709-4aa5-41f4-87b1-b811283d70d1/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fad432ed-ceec-502d-8842-59b2284a4619", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157639Z", "creation_date": "2026-03-23T11:45:31.157641Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157649Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5b984209f1d5d681a3bbc876ddb90fd5905155cd0ec5449803e5debd9d066e11", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fad5e050-ef9d-560a-8ef2-fac9adc40a31", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.606157Z", "creation_date": "2026-03-23T11:45:29.606158Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.606164Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7a48f92a9c2d95a72e18055cac28c1e7e6cad5f47aa735cbea5c3b82813ccfaf", "comment": "Process Explorer driver (aka PROCEXP.SYS and PROCEXP152.SYS) [https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fadaa988-2483-5eec-a37b-006823421bb2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160030Z", "creation_date": "2026-03-23T11:45:31.160032Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160037Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4909d7e50d71ea4cd72b68a9d9c1a12a96cf1f9d6ff04272e5403ff58cdd31bc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fadbc017-3cec-5f06-91fa-6af3c4f43f2a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150233Z", "creation_date": "2026-03-23T11:45:31.150235Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150241Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5c3ba841467677571942294277c9f922fb79c5de289e7cefda14767e1cb4fd46", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "faf7a12e-4b82-56dc-aa07-7fc9175ba00e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.153284Z", "creation_date": "2026-03-23T11:45:31.153287Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.153294Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dcbfdf5bb3562ab624d954fc95007ca2baa9e6f217ebd7ee2dcc1591a949e211", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fafe9b15-ae6a-52fe-b9f8-1adf16e6d85d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811542Z", "creation_date": "2026-03-23T11:45:31.811544Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811550Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ec936428caafb5e535b9d0cacce885185e314c659746c19dbee4edbd21aeb513", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fb09e78f-4c0a-57ab-aba2-8e81cb33bf19", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159158Z", "creation_date": "2026-03-23T11:45:31.159160Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159165Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1021ecbde5a241cb33013cfe9c345f964547a03e79d19b53490e5d33169ea8c6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fb21dc1e-0723-5a94-8ddf-72edd3f5d68a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826438Z", "creation_date": "2026-03-23T11:45:31.826440Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826445Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "55c0a887f87469e26616fe0641d83c971a3024181bd0e53a4250afae53be1a63", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fb27bc42-e488-5f01-995f-79e61d6f6802", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621409Z", "creation_date": "2026-03-23T11:45:29.621411Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621417Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "26453afb1f808f64bec87a2532a9361b696c0ed501d6b973a1f1b5ae152a4d40", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fb31c830-53bf-54d2-8fd6-825779e21050", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468692Z", "creation_date": "2026-03-23T11:45:30.468695Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468704Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "869f22f072f71abc741cf9d3b9cbc9020a2611286670c6e6d67cd240629518f6", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fb3749f5-6e21-5cca-8532-836149bdf73f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.495984Z", "creation_date": "2026-03-23T11:45:31.495987Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.495996Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee3a1b13c31103c100ada53e267d1fa27a0573aa54919d29249b66fd9507a9b6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fb3d6cd5-b776-5f54-bf11-f21218709141", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.968203Z", "creation_date": "2026-03-23T11:45:29.968205Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.968210Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "810513b3f4c8d29afb46f71816350088caacf46f1be361af55b26f3fee4662c3", "comment": "ENE Technology Inc Vulnerable I/O Driver (aka ene.sys) [https://swapcontext.blogspot.com/2020/08/ene-technology-inc-vulnerable-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fb47e5b1-d5e2-5741-9d14-fecf7dfaa15d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.620159Z", "creation_date": "2026-03-23T11:45:29.620161Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.620166Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "29e0062a017a93b2f2f5207a608a96df4d554c5de976bd0276c2590a03bd3e94", "comment": "IBM Vulnerable Physmem drivers (aka citmdrv_amd64.sys and citmdrv_ia64.sys) [https://www.loldrivers.io/drivers/0f21a584-6ace-4242-82cb-9766cea6973a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fb4aa9a3-9491-5088-93a0-7542d0bb2ad4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.971926Z", "creation_date": "2026-03-23T11:45:29.971927Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.971933Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9f6ef002bf7603672cf350831065aa3664f930e9587ae8fd3bfc93ca3f21a707", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fb52a350-3a84-58c0-821f-7defafc2ccca", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619106Z", "creation_date": "2026-03-23T11:45:29.619108Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619113Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "46cb4aabe49917be885f2c42ade92aceda6b9d0b7739cf0e7c3c6d93820b67c3", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fb5481e1-78a0-507e-905f-01aea27dbabe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.974909Z", "creation_date": "2026-03-23T11:45:29.974911Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.974916Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ab3e5217c5ec836a882d68a23b017de5b4f88328510e4bcb9564759926aec89f", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fb5a53bd-d5a1-572a-a4a0-8b9b1ad5eac5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.143242Z", "creation_date": "2026-03-23T11:45:32.143244Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.143250Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7cb497abc44aad09a38160d6a071db499e05ff5871802ccc45d565d242026ee7", "comment": "Vulnerable Kernel Driver (aka iQVW64.SYS) [https://www.loldrivers.io/drivers/4dd3289c-522c-4fce-b48e-5370efc90fa1/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fb640e01-dff7-5a80-a110-79e5cdbf1264", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.815804Z", "creation_date": "2026-03-23T11:45:30.815806Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.815811Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "81fbc9d02ef9e05602ea9c0804d423043d0ea5a06393c7ece3be03459f76a41d", "comment": "Vulnerable Kernel Driver (aka FPCIE2COM.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fb66461a-5ba5-5954-833a-988883514cb8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983491Z", "creation_date": "2026-03-23T11:45:29.983493Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983498Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "221dfbc74bbb255b0879360ccc71a74b756b2e0f16e9386b38a9ce9d4e2e34f9", "comment": "Vulnerable Kernel Driver (aka Netfilter.sys) [https://www.loldrivers.io/drivers/9454a752-233e-4ba2-b585-8da242bf8f31/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fb74d5c1-f83a-5d3d-b7b1-0cf3fb02149d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.616398Z", "creation_date": "2026-03-23T11:45:29.616400Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.616406Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "990165725debccea7ca15aa4ed7a0e3a2a25b4a72cb309a27c899bd0e4b5148f", "comment": "American Megatrends vulnerable BIOS flash tool (aka UCOREW64.SYS and amifldrv64.sys) [https://www.loldrivers.io/drivers/a338a9fc-9fe3-400c-9fe4-69bb7892602d/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fb8a86ef-bf0c-5305-ac30-57122fa59a8c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828047Z", "creation_date": "2026-03-23T11:45:30.828049Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828054Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b4059ef4aced7c629f7ae56ac40c6bdcedc43fa9077990ee5994556de40c0f95", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fba0be65-8fd0-53c5-9649-639b2735b92b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.812186Z", "creation_date": "2026-03-23T11:45:31.812188Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.812194Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "85e24c00c5c5de599141a735c97d584da8bb39bbcd8f78447f7522866e90ac6a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fbaa4cc5-4f4f-5c15-80ae-bd7014370e92", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984675Z", "creation_date": "2026-03-23T11:45:29.984677Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984683Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6071db01b50c658cf78665c24f1d21f21b4a12d16bfcfaa6813bf6bbc4d0a1e8", "comment": "Vulnerable Kernel Driver (aka VBoxUSB.Sys) [https://www.loldrivers.io/drivers/5938df1d-9513-449f-8252-c442ddca0c2a/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fbb51792-c97c-58e3-b0dd-053d169ddc97", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831567Z", "creation_date": "2026-03-23T11:45:30.831569Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831574Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ba8cc319eac7d94be45bb67e8fe746da519fc457b0479621464b861eed80b360", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fbba39da-5cc1-510e-ad39-9be9f7e1f57d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828895Z", "creation_date": "2026-03-23T11:45:30.828897Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828902Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b72ea6d11a53e4f4e094aa635b9c039f47093b0f722e88d2681d1270e8ef4698", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fbbe80ce-6f61-57c6-9ffe-e5122d6ccb44", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.978510Z", "creation_date": "2026-03-23T11:45:29.978512Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.978517Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "68dca726b16c56c70259c8f936ec20adb9ecb8c3cc73985083f41358c83935f4", "comment": "Vulnerable Kernel Driver (aka sandra.sys) [https://www.loldrivers.io/drivers/a7628504-9e35-4e42-91f7-0c0a512549f4/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fbe8c7be-3e4c-53b1-b933-0a3fb3e39cd1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156706Z", "creation_date": "2026-03-23T11:45:31.156708Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156714Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2a3ce27a2f733926e2666c7911efd01c2ab2e5d788aab5fe4e347c99ea2cb241", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fbf23471-f2ca-5fe7-a959-896d29c96c78", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614562Z", "creation_date": "2026-03-23T11:45:29.614564Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614570Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "50d5eaa168c077ce5b7f15b3f2c43bd2b86b07b1e926c1b332f8cb13bd2e0793", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fbfa9ab3-f36d-58f7-86b3-e5aa9695f89c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141095Z", "creation_date": "2026-03-23T11:45:31.141098Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141106Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ea21b449d1dea61c47d55ecc9981ab7c2959d6652907a303163600f67f58542a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fc1e8d2b-e1f0-5273-9b1d-bc9a0379c31a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145755Z", "creation_date": "2026-03-23T11:45:32.145757Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145762Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f43b0b9a1d1445ba66e8370397cb22142439fa4062b7b05e30f9b26a370d767c", "comment": "Malicious Kernel Driver (aka driver_668c5bea.sys) [https://www.loldrivers.io/drivers/04eefdf4-448d-45bb-87fc-93f263fc77f4/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fc30359b-bdac-53a9-a72d-0812411f6ab8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.466972Z", "creation_date": "2026-03-23T11:45:30.466975Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.466985Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7b49579b74108e2418a6b401cd729e3fafe1c8ba1fe8434f73c8d0f1758b08d3", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fc3362e1-7c3c-5445-9d07-d05024d5b7c9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155136Z", "creation_date": "2026-03-23T11:45:31.155138Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155144Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9e0245a1671aaef05e6622fc3714cd12c2a462d671e7d5fc27dff521f7b990af", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fc38f201-6e9c-54ee-a11e-368d06f001e0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.471318Z", "creation_date": "2026-03-23T11:45:30.471322Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.471330Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bdcacb9f373b017d0905845292bca2089feb0900ce80e78df1bcaae8328ce042", "comment": "Vulnerable Kernel Driver (aka rwdrv.sys) [https://www.loldrivers.io/drivers/fbdd993b-47b1-4448-8c41-24c310802398/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fc3cf96f-1b6b-5228-8543-5ab39a7d8a72", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.815490Z", "creation_date": "2026-03-23T11:45:31.815492Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.815498Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d2b85836b0888b91b3ad457d025d411bcc580c3bb74eadb8f3a5db87da94ebf0", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fc3efe2e-cc59-5263-abad-c17d7af26d3c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.605285Z", "creation_date": "2026-03-23T11:45:29.605287Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.605293Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c97b5c4ed563047d79e7e015a691d00f06c3737ef156d1e5b4bdfe325b6f7d9", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fc4a48b7-8ea0-5d9e-b5d9-17410fb4d17b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.824915Z", "creation_date": "2026-03-23T11:45:30.824919Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.824928Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "20e178dce3eff6e8a1c1cb1f70d669c3e5a5ef3fa5e961b14975fb69eec1f2d5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fc4db004-c402-50d7-b753-80fec151d311", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604243Z", "creation_date": "2026-03-23T11:45:29.604245Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604250Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "93f787e33a663311a6a553db1c7d7e5b3f4cd20b0b7725b35dbd0dd67308cef4", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fc5355c6-2e4f-59e4-a411-cc807cdf9a10", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.604969Z", "creation_date": "2026-03-23T11:45:29.604970Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.604976Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2269f6117274297a63e149c6dac51bc3780fd1f64b111f5fa535e1d5718ebccf", "comment": "Process Hacker driver (aka kprocesshacker.sys) [https://processhacker.sourceforge.io/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fc5d492f-7c7f-54e5-bce4-ec16139e95c6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.489928Z", "creation_date": "2026-03-23T11:45:31.489931Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.489940Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "193d2589c7c929ad3dccc5c8cace740f018615c6d2f3f210e362de1abb06e5c6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fc5f422e-4d08-5fe3-bc3f-5fa9a2b9614a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.144176Z", "creation_date": "2026-03-23T11:45:31.144177Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.144183Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a5605d952927cc8cbfa504498e70585410bd3224c04fd5f57ab6586a4afb11f5", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fc662720-fa09-5f24-be58-45978b2757c8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.609702Z", "creation_date": "2026-03-23T11:45:29.609704Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.609709Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5351c81b4ec5a0d79c39d24bac7600d10eac30c13546fde43d23636b3f421e7c", "comment": "Novell vulnerable driver (aka nicm.sys, nscm.sys and ncpl.sys) [CVE-2013-3956] [https://www.loldrivers.io/drivers/f4126206-564f-49f5-a942-2138a3131e0e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fc6adc50-9e4c-55c8-a42b-52186b5d3413", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.454388Z", "creation_date": "2026-03-23T11:45:30.454391Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.454400Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d9500af86bf129d06b47bcfbc4b23fcc724cfbd2af58b03cdb13b26f8f50d65e", "comment": "Vulnerable Kernel Driver (aka kEvP64.sys) [https://www.loldrivers.io/drivers/fe2f68e1-e459-4802-9a9a-23bb3c2fd331/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fc6deb0e-4bc2-5165-9aae-6ae95c2b184d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.155841Z", "creation_date": "2026-03-23T11:45:31.155843Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.155848Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d2677a15c494668bf73dcc0849de41ee79e3b782d51ac04a2542a00933d09ff", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fc705fbb-0953-514e-8f71-d3bcd4ddce67", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610529Z", "creation_date": "2026-03-23T11:45:29.610531Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610536Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6befa481e8cca8084d9ec3a1925782cd3c28ef7a3e4384e034d48deaabb96b63", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fc80852c-1cf6-571c-93f0-3b9fe3f8ae00", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.830669Z", "creation_date": "2026-03-23T11:45:30.830672Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.830677Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cd3fdc5c338e21e8d8fd9d586fabfdb9fec312f3852bb278fe87ef64d05f78d6", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fc92cf50-8182-5dc8-a553-174219eeebef", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462440Z", "creation_date": "2026-03-23T11:45:30.462443Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462452Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "51141c22e37d651703dd57cfda018ff06a0175a78e7c72f8ad733a281721716a", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fc92f795-d840-53fa-bc9d-821cbab77b7e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621720Z", "creation_date": "2026-03-23T11:45:29.621722Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621728Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "923ebbe8111e73d5b8ecc2db10f8ea2629a3264c3a535d01c3c118a3b4c91782", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fc96a0ad-c4e5-5ef4-9dec-6855d0425773", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.480082Z", "creation_date": "2026-03-23T11:45:30.480084Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.480089Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "37022838c4327e2a5805e8479330d8ff6f8cd3495079905e867811906c98ea20", "comment": "Vulnerable Kernel Driver (aka stdcdrv64sys.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fca72425-70e1-5931-90ff-bc4ce2f3bcc9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.475044Z", "creation_date": "2026-03-23T11:45:30.475047Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.475057Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e3d9b90e2a1a6e997dd3e3ed6b05aa3230d8ca3c25477b847dbe163c0367cc7e", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fcaf0b25-ff9b-5e21-97e3-a2cd820b7487", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148096Z", "creation_date": "2026-03-23T11:45:31.148098Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148103Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ad25321c6d5d453f61877d4518ff9dd0f0f9c46b11f91743441dedb36075844c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fcb41e68-7090-5703-a079-d66b45301a9d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.819571Z", "creation_date": "2026-03-23T11:45:31.819574Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.819582Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ccb06410b63db03f5b8f86a99dca017b8a6f4ac8917e3e7b628d7a7ade9f813c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fcb70074-4888-59d1-96cc-738a6e94bfe4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479539Z", "creation_date": "2026-03-23T11:45:31.479543Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479553Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b66ad8c72063d4a3cc34aaa8cfee8dd7489880e2d369b1ed4ccc5cbea86c2bc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fcb84375-1445-52b9-a0de-0797e6164ca1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.985082Z", "creation_date": "2026-03-23T11:45:29.985084Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.985089Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "21ccdd306b5183c00ecfd0475b3152e7d94b921e858e59b68a03e925d1715f21", "comment": "Dangerous Physmem Kernel Driver (aka HwRwDrv.Sys) [https://www.loldrivers.io/drivers/e4609b54-cb25-4433-a75a-7a17f43cec00/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fcba455e-e89e-5077-bc0b-25f9a8ff3ec7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.825669Z", "creation_date": "2026-03-23T11:45:30.825671Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.825677Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a87cbd4cdb3261b10539c2611d69ae66ee38eb83b2d6ffdfe832e348f8a543ea", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fcbfa754-e04a-5333-b166-732dea479ae2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486263Z", "creation_date": "2026-03-23T11:45:31.486267Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486276Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cb576807ce3385d1007d8d6aa6cd6c54c946eb78ec947d67cefe8fab58e99e26", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fcca48bc-3cbd-5d7d-9b48-b4c82b84c248", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.811435Z", "creation_date": "2026-03-23T11:45:31.811437Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.811443Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "72d17c16571c89cf3c7d1c48cf590e16704dc1758c4d6b9d3172cedae957e6fd", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fccfad40-c74b-531d-95c1-0a11cb615acd", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.621794Z", "creation_date": "2026-03-23T11:45:29.621796Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.621801Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a7bb08f99a9701482ce693d71e95559b10a247c4e8f50deba8097b0d3f191532", "comment": "ASUSTeK GPU vulnerable physmem driver (aka AsIO2_64.sys) [https://syscall.eu/blog/2020/03/30/asus_gio/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fcd23c3c-477b-5ef1-8309-05c5087575af", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.456752Z", "creation_date": "2026-03-23T11:45:30.456755Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.456764Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "faa9aa7118ecf9bb6594281f6b582f1ced0cc62d5db09a2fbf9b7ce70c532285", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fcdbc473-378e-539f-8bd4-3758805f1c44", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.159349Z", "creation_date": "2026-03-23T11:45:31.159351Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.159356Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e3739737765880d445f9a5b1dcfc6f5e8832e01738724f2c003b67226faf3823", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fcdfd4fc-513f-5bbe-b465-1b84f78302cb", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.815574Z", "creation_date": "2026-03-23T11:45:30.815589Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.815603Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "903d6d71da64566b1d9c32d4fb1a1491e9f91006ad2281bb91d4f1ee9567ef7b", "comment": "Vulnerable Kernel Driver (aka RadHwMgr.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fceb7018-587a-596f-a52c-e45e343d5424", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.481097Z", "creation_date": "2026-03-23T11:45:30.481099Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.481105Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cf370bf2ef3fb6fd5e9722bad8af5347b74ce7252d291e2958b365aad1b0bb76", "comment": "Vulnerable Kernel Driver (aka TdkLib64.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fcf105c6-9ca9-5e21-aa70-a52475b2dda0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808468Z", "creation_date": "2026-03-23T11:45:31.808470Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808476Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "002744572989f91fd5edf800ffc6baefeea877eca3b8d7c9abbfa5e29b1b3b5e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fcf64e10-0548-58e4-b36f-2e272fc54e6d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.160100Z", "creation_date": "2026-03-23T11:45:31.160102Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.160108Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "80f793cd949b16335e835de748c5d15ca945c72c0cef50371ae80f931805b206", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd065efe-8ffc-5cc7-accc-40f56dce9e7f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.487236Z", "creation_date": "2026-03-23T11:45:31.487238Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.487244Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3943991d2624914a5f8c16d7f4060601e4c09f1eae37e0dd13616e1ff53493a7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd0b387f-056e-5f2c-beee-38eace13fd4f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140601Z", "creation_date": "2026-03-23T11:45:31.140603Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140608Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "46b35f77b7c6dfbafe431538b4b790bb4f709ae3dcbb8e24023809805b31b9d4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd129ccd-f4bc-5f7a-b475-71cbe3c09e78", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.498388Z", "creation_date": "2026-03-23T11:45:31.498392Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.498400Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "067748aeeb35971ba770bf2cd652eef93add635e5228a76b0a2c815d483f520d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd21c610-3d7e-53b0-afd5-054e7746aabe", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142629Z", "creation_date": "2026-03-23T11:45:31.142631Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142636Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "dd51b2f62eb091d20bd898a9680b6c55f37920e9026142d604e5fd0a2698013d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd2d3628-4315-54b0-a7e3-a280a80e3d7e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473417Z", "creation_date": "2026-03-23T11:45:31.473420Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473430Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "213d3b79119bfd48176f99c0e15ec19b0082eaab0dc0a744ab1151e21479ffe2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd2efac5-b10e-5f16-aa61-f805c9b5962a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.463356Z", "creation_date": "2026-03-23T11:45:30.463360Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.463369Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4af8192870afe18c77381dfaf8478f8914fa32906812bb53073da284a49ae4c7", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd32d148-d91b-5f7f-97ad-9757e97a5e13", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809444Z", "creation_date": "2026-03-23T11:45:31.809447Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809454Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "34330c8d41b2600513912d286a6a9c7b9839b2a34ab6b6118db18bc7e4c80718", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd3d90d8-2535-5daa-9e7e-4d0e5798139a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.822411Z", "creation_date": "2026-03-23T11:45:31.822414Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.822422Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7516a0d5bf936c2c9718250219bdd5a61f92767006f744e4f8c11b1698e684fb", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd4086b8-b296-59b1-b0cc-7eae15ce3836", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.486138Z", "creation_date": "2026-03-23T11:45:31.486141Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.486150Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3fa1e8727a84561d848040a770106a51e69023f35bd05566e3c35229328956e9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd42167b-de94-5c33-ad28-9edb3fb48d7c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826456Z", "creation_date": "2026-03-23T11:45:31.826458Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826463Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2c36c1d52bbe66ca632637c419537e3b5d1d366791a7053249649d5d6a1dc331", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd4dfa0c-bb0c-5c3f-960b-e2d864570d4a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.969853Z", "creation_date": "2026-03-23T11:45:29.969855Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.969860Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "596c497e7e405ceb79ba0ba45f993125d88d50fc18867048d0c7a356ebd0c0ed", "comment": "Avast Vulnerable Driver (aka aswArPot.sys) [CVE-2022-26522, CVE-2022-26523] [https://www.mandiant.com/resources/blog/unc2596-cuba-ransomware] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd56913e-891f-59af-8479-51a4d724c94c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983317Z", "creation_date": "2026-03-23T11:45:29.983319Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983324Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3c6f9917418e991ed41540d8d882c8ca51d582a82fd01bff6cdf26591454faf5", "comment": "Vulnerable Kernel Driver (aka dcr.sys) [https://www.loldrivers.io/drivers/b1dd91b1-9ba3-4d68-a2d1-919039e18430/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd5c958e-4343-5885-b4bd-4e0d3326a15b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.826674Z", "creation_date": "2026-03-23T11:45:30.826676Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.826681Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "903f2d45806520607ad555ba09be0a58bfda695ef8e9369b9a5488e2a62b9824", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd604202-9a23-5f54-bc1d-93b7a69e53ed", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.828120Z", "creation_date": "2026-03-23T11:45:30.828122Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.828127Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "62eb6173b66b077a3209dfbd91799d31d903459cbf42cf589070e688704d877b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd66692b-facb-5e41-8080-ceb16408cb74", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615485Z", "creation_date": "2026-03-23T11:45:29.615487Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615492Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "5a63937a6320f50c4782d0675104932907d16a91d89088ac979a7a0129aad986", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd74cbe1-e6c3-5148-8ecf-0f4ab516f39a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.473672Z", "creation_date": "2026-03-23T11:45:31.473676Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.473685Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2f6f5ce1c93097510f16357742bf393141da37f6f1a2d889c32f93c76029fca9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd76cff3-8e1b-5b8a-b744-fd14d33614e1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.828148Z", "creation_date": "2026-03-23T11:45:31.828150Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.828156Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6b2f24cf8c0550c2d04bf3571f7d406f84f8ebb5c80805030cca52c8a957a815", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd783263-fc82-538b-b16c-4f080e692e96", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.831272Z", "creation_date": "2026-03-23T11:45:30.831274Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.831280Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "775a8740685d468911625d152917d450ea41968162aeb6fe80bf1c2e36aee862", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd809f73-ef60-5e97-8813-8880c5f82660", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460069Z", "creation_date": "2026-03-23T11:45:30.460072Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460080Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d9a2bf0f5ba185170441f003dc46fbb570e1c9fdf2132ab7de28b87ba7ad1a0c", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd8a092a-ad18-5fcd-a481-b73145a448d1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819278Z", "creation_date": "2026-03-23T11:45:30.819280Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819285Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d45600f3015a54fa2c9baa7897edbd821aeea2532e6aadb8065415ed0a23d0c2", "comment": "Vulnerable Kernel Driver (aka hwdetectng.sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd9662c8-25a9-5cc1-8679-8e07913bc0d8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457592Z", "creation_date": "2026-03-23T11:45:30.457596Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457605Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4ecb25cb7a127729a0124d1c0e0ba7dd0c24a02f48f40f6af174b15581b6925c", "comment": "Vulnerable Kernel Driver (aka rtkio64.sys ) [https://www.loldrivers.io/drivers/8d3f27bd-c3fd-48d0-913a-e2caa6fbd025/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd977d02-b5d6-5c63-b14c-feb34aea6e49", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973042Z", "creation_date": "2026-03-23T11:45:29.973044Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973049Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ada4e42bf5ef58ef1aad94435441003b1cc1fcaa5d38bfdbe1a3d736dc451d47", "comment": "Elaborate Bytes vulnerable driver (aka ElbyCDIO.sys) [CVE-2009-0824] [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd9c16ae-128a-5e10-bd0d-d8c200f7c48f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.154007Z", "creation_date": "2026-03-23T11:45:31.154009Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.154014Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1e6bc1f84a7867714aa8ba2a45e24b0546b869e58e1e7b33992d4f3583590d27", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd9c73b3-810d-5a6f-b8bb-74e23c057d52", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145603Z", "creation_date": "2026-03-23T11:45:32.145605Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145611Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "131e84e32dae6954247fc0699d5ba52bf2936b5a782c795ae9e708829a5c26d6", "comment": "Vulnerable Kernel Driver (aka pxitrig64.sys) [https://www.loldrivers.io/drivers/c8619f49-8e23-489b-9878-53d27533da15/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fd9e94ab-a4de-5be6-a136-0ed10abcb1e1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836451Z", "creation_date": "2026-03-23T11:45:30.836453Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836458Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "17a05f99826e8b1ebf223377dbcc8a007f4f22dddfad72058f040957485df030", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fda3e07d-75e3-5587-b3a5-0e8c31bbc0e3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.807822Z", "creation_date": "2026-03-23T11:45:31.807825Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.807834Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "168bb136f51bc4b442eb62e78fe0fe30972a6a833c38398e1a7a470fb8c91cd8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fdb1ac33-8668-5ce9-85f0-bc01568e5e8a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612897Z", "creation_date": "2026-03-23T11:45:29.612899Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612904Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fd388cf1df06d419b14dedbeb24c6f4dff37bea26018775f09d56b3067f0de2c", "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fdba7b11-9db5-57ee-89bf-bc6243d26a9c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157240Z", "creation_date": "2026-03-23T11:45:31.157242Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157248Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c92e8c94f05926a0f324c85f809fd236ee6f99a83ccfa9c2bcd3dc4dc9e8c7b8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fdcf4eb2-3a8f-5204-9f16-1afce0834a21", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.973484Z", "creation_date": "2026-03-23T11:45:29.973486Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.973491Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0909005d625866ef8ccd8ae8af5745a469f4f70561b644d6e38b80bccb53eb06", "comment": "Trend Micro Anti-Rootkit Common Module vulnerable driver (aka TmComm.sys) [CVE-2007-0856] [https://www.loldrivers.io/drivers/22aa985b-5fdb-4e38-9382-a496220c27ec/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fdd86998-51c5-5955-adf1-85747cf9dfc9", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.823755Z", "creation_date": "2026-03-23T11:45:30.823757Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.823762Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c3a3c92951a3675d38186e33dd186c4df05214d1c7814b4e81201c043feb0c6e", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fddca3ea-f400-52b5-a7a2-ccea4335da76", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.150251Z", "creation_date": "2026-03-23T11:45:31.150253Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.150259Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "679a104a53ca0707f98f46308069c5d3bbf625ef008e75b2c01993dee6e54cb7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fddecbd7-a621-5813-a01c-14e7fffa138f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479548Z", "creation_date": "2026-03-23T11:45:30.479550Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479555Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "29d765e29d2f06eb511ee88b2e514c9df1a9020a768ddd3d2278d9045e9cdb4a", "comment": "Malicious Kernel Driver (aka e939448b28a4edc81f1f974cebf6e7d2.sys) [https://www.loldrivers.io/drivers/4f2edf45-b135-404f-bedc-9583f0bae574/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fde3043b-6bf5-5510-b834-d627dfa375ae", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983738Z", "creation_date": "2026-03-23T11:45:29.983740Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983745Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d3d601c77d4bb367ab3105920ca8435aa775448a49c1eda6ac6f46ee5d8709cb", "comment": "Vulnerable Kernel Driver (aka AsrAutoChkUpdDrv.sys) [https://www.loldrivers.io/drivers/b72f7335-6f27-42c5-85f5-ed7eb9016eac/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fde5dd99-4ef2-5dc6-ab7d-395aeffb899c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.148962Z", "creation_date": "2026-03-23T11:45:31.148964Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.148970Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f060130fad8cc5f7ca388801f6d42a3cae26e19841aad9e5d944e79e6f7e288d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fde666b5-832d-5130-b6fa-10651df90bc6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.809569Z", "creation_date": "2026-03-23T11:45:31.809572Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.809580Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c13eff9d6aeb9458902878207e6224d0f31f30d05fd83aa654add43219a33084", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fdeb7371-86a2-515c-92f8-ce7608e295f1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808576Z", "creation_date": "2026-03-23T11:45:31.808579Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808584Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e5edc5325e00f7aa95e4f6f698962f86d9378ff8c3604c52b6bf6d354a75f155", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fdf439b8-c973-560b-99f3-f71dafc19335", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465368Z", "creation_date": "2026-03-23T11:45:30.465372Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465381Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "51805bb537befaac8ce28f2221624cb4d9cefdc0260bc1afd5e0bc97bf1f9f93", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fdf9b4e3-740a-5d28-83f9-fe7a1ec72a0c", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479206Z", "creation_date": "2026-03-23T11:45:31.479209Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479220Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c621ad6afe87288d22cc0f34671d45715b92ef31d7d39fd79188a706b9da12f2", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe035dec-a880-51c1-873b-f05d2505befc", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.826233Z", "creation_date": "2026-03-23T11:45:31.826235Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.826241Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "775084db4927dc7a387096c4ce6adf7720d56520700c55d0ca373a16ee7c654a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe0c8695-8153-5452-bbcc-008544e11cfa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.814287Z", "creation_date": "2026-03-23T11:45:31.814290Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.814299Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6d8975092b4a8b643af5bd04fd5973e74607ad44fa274ad0d12d8051228db039", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe0e7ebe-fe57-5e8c-b036-0dc9a25c7417", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.474005Z", "creation_date": "2026-03-23T11:45:30.474008Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.474017Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "88671ef30520d11a63a4cb3acf6b1c827c82acced657baa8f371034957ddf825", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe0fe43b-69b1-58d6-bcce-ed2452f59aaf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.827561Z", "creation_date": "2026-03-23T11:45:30.827563Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.827568Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "854ed66189aafb979aaafc60d03a58e5b96e08c6345183bfc06ac27dbb832053", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe1a336f-5f83-5860-be4b-9fb4dd26d57d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.143042Z", "creation_date": "2026-03-23T11:45:31.143044Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.143049Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2a83762324a1e0d224566b083cd808f582c4e04bc99e02b6e418bda23a12db25", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe20c382-5062-50a5-91b5-6570ab004878", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.617643Z", "creation_date": "2026-03-23T11:45:29.617645Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.617651Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c9b8ecd0657fda14476920fe47783bd8a951d7a4a640935d9199b4a7ae4b8b69", "comment": "ATI Technologies vulnerable GPU flash tool (aka atillk64.sys) [CVE-2020-12138] [https://www.loldrivers.io/drivers/61514cbd-6f34-4a3e-a022-9ecbccc16feb/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe236022-89b6-54e2-b97d-17b3a3c238c6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.983299Z", "creation_date": "2026-03-23T11:45:29.983301Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.983306Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "462cd6db3c0be714dd751466d5871c111812faf392c468c81a88cb0da4783458", "comment": "Vulnerable Kernel Driver (aka DBUtilDrv2.sys) [https://www.loldrivers.io/drivers/bb808089-5857-4df2-8998-753a7106cb44/,https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe251034-4ba0-5d27-80b0-ad8dfa72eab1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.610300Z", "creation_date": "2026-03-23T11:45:29.610302Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.610308Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2101d5e80e92c55ecfd8c24fcf2202a206a4fd70195a1378f88c4cc04d336f22", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe34b5db-ba0a-5877-b632-98bcac0e3316", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.151986Z", "creation_date": "2026-03-23T11:45:31.151988Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.151996Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0f6e476d42dabffd178a622805677695a9f077497964e37121940ef145528ff", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe357f21-9829-588a-b0e4-bbbcc1db9019", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.146902Z", "creation_date": "2026-03-23T11:45:32.146905Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.146910Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "015956494226d4cbb89283c7b915a46353670c7d41e02f0f2ba741c0d2c73615", "comment": "Vulnerable Kernel Driver (aka BioNTdrv.sys) [https://www.loldrivers.io/drivers/e6378671-986d-42a1-8e7a-717117c83751/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe365c9b-2965-5ddc-9d30-93e2e3aba9a0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.468555Z", "creation_date": "2026-03-23T11:45:30.468558Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.468567Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "13999eb266b759e879816fdab640d59ef9e35e2ea61575810979d9eb22fdfd4d", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe45c1ce-334b-55e6-9f47-ef3ff75a2086", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822336Z", "creation_date": "2026-03-23T11:45:30.822338Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822343Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3eea0723a9007f5a85382cd2e92d9f9cc94bb9e2f7fbb6d99a7c70c8527caa5a", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe45ebae-252b-545b-9470-2615b6528b89", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.478076Z", "creation_date": "2026-03-23T11:45:31.478080Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.478107Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4f41710a76004fde6747989dab3cc4ec3cde19e40499b7210b67c83c69fae2fe", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe49018c-40a5-5bb7-9552-13a7f405aac2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.462057Z", "creation_date": "2026-03-23T11:45:30.462060Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.462069Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "083a311875173f8c4653e9bbbabb689d14aa86b852e7fa9f5512fc60e0fd2c43", "comment": "Malicious Kernel Driver (aka mimikatz.sys) [https://www.loldrivers.io/drivers/14556074-b235-4378-b356-f58721629d72/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe52c3fd-5f98-5a15-997b-fdff7abb212a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.622402Z", "creation_date": "2026-03-23T11:45:29.622404Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.622409Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0be4912bfd7a79f6ebfa1c06a59f0fb402bd4fe0158265780509edd0e562eac1", "comment": "PassMark vulnerable driver (aka DirectIo32.sys and DirectIo64.sys) [CVE-2020-15479] [https://github.com/eset/vulnerability-disclosures/blob/master/CVE-2020-15479/CVE-2020-15479.md] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe535935-34ce-50f7-b996-bc197d68e862", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.144902Z", "creation_date": "2026-03-23T11:45:32.144905Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.144910Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae095718a860962d213622b719f8dbcde190e4bedc2cd92e3865efaede65380f", "comment": "Vulnerable Kernel Driver (aka tboflhelper.sys) [https://www.loldrivers.io/drivers/07c57c69-c8d7-40cf-8bcc-612671427044/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe54003a-4eca-5a70-8484-9505c0d947c1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.833671Z", "creation_date": "2026-03-23T11:45:30.833675Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.833683Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2a414cc7b9da40056835645b86ff7b722160c6e41add2d4a527cca1256086a2d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe58a499-1770-56d0-be87-c8f96c9040e7", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.835755Z", "creation_date": "2026-03-23T11:45:30.835757Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.835762Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1c2c87b67ce1fc02c4b1fc748d8e444bfac462394f88c7547a2d1b2cb8d9b2e3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe594c97-a92b-5aa7-a1b8-0b0a8c2fb8e4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.827730Z", "creation_date": "2026-03-23T11:45:31.827732Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.827737Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8bab93587bf3d029723aa1348414a9aff5e032d52811ad42d6d8649d7668cc1a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe5c63ee-c7f1-5795-8484-6b69cef39233", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.618443Z", "creation_date": "2026-03-23T11:45:29.618445Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.618451Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fe2fb5d6cfcd64aeb62e6bf5b71fd2b2a87886eb97ab59e5353ba740da9f5db5", "comment": "NVIDIA vulnerable flash tool (aka nvflash.sys nd nvflsh64.sys) [CVE-2019-5688] [https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe5d6e49-8eb0-51cb-9c14-215c9f4bd7b2", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.470610Z", "creation_date": "2026-03-23T11:45:30.470614Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.470623Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6413aa70a5664953223205b6364d676fac0c0491d12ddaadc91b7f12fa53f77b", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe5e84aa-e823-5fdb-b1b5-a3b7d7c2d181", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.979238Z", "creation_date": "2026-03-23T11:45:29.979241Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.979246Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "6c7f24d8ed000bc7ce842e4875b467f9de1626436e051bd351adf1f6f8bbacf8", "comment": "Vulnerable Kernel Driver (aka d2.sys) [https://www.loldrivers.io/drivers/d05a0a6c-c037-4647-99ac-c41593190223/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe6176ae-6f93-5bbc-96d4-5d4795334128", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.967693Z", "creation_date": "2026-03-23T11:45:29.967695Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.967701Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "7fb0f6fc5bdd22d53f8532cb19da666a77a66ffb1cf3919a2e22b66c13b415b7", "comment": "Vulnerable Kernel Driver (aka fidpcidrv64.sys) [https://www.loldrivers.io/drivers/a005e057-c84f-47cd-9b4b-5b1e51a06ab4/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe684a73-3224-502b-b6a2-b8e5a6cd1dcf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.619867Z", "creation_date": "2026-03-23T11:45:29.619879Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.619884Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8cef918675dfaeb50cacd36b9c06871fd05e9ffea7addf98a396fae131abe30a", "comment": "Super Micro Computer dangerous update tool (aka superbmc.sys) [https://www.loldrivers.io/drivers/9074a02a-b1ca-4bfb-8918-5b88e91c04a2/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe6b3c93-b100-561e-a35d-433e22332075", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499269Z", "creation_date": "2026-03-23T11:45:31.499272Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499280Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9aa200322a44c8dcd91a8a7075ee5f23248401a53d532081f28d9b5c7fb49b1a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe7f4840-f5e0-53d4-976a-b8bb2b1632ee", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615272Z", "creation_date": "2026-03-23T11:45:29.615274Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615279Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "299f36c717c5d5d77a8e9c15879e95cd825f74e77c7ed24e7cccbefeb38a2165", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe860e38-399f-5521-908c-2475266b7a6d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.976903Z", "creation_date": "2026-03-23T11:45:29.976905Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.976910Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3513c01158cb9d473c4cf99bb7fa73363531edf5b7bf4c7c4cfedecb6fe1775b", "comment": "Malicious Windows Kernel Explorer Driver (aka WindowsKernelExplorer.sys) [https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe8d2098-c900-5f7f-b3a2-70092468bdfa", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.481390Z", "creation_date": "2026-03-23T11:45:31.481394Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.481404Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1050f743944f58a7d74a3b34c8ca5b038de9fee3bf7ab39cfb531742f91db90a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe8e340f-4986-5131-b9ef-3b090fb5b13b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818520Z", "creation_date": "2026-03-23T11:45:31.818524Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818533Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0972fa03d469209602de929894d1a99fc18b5565d621b2aad826e7575a9b72d7", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe93ceb1-4223-538a-8034-fdcf4c38d7a1", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467955Z", "creation_date": "2026-03-23T11:45:30.467960Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467969Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9b6d450b6e2b66e8356b9d8a354e8c3a96426b7f15adf2f2025dda13c01881a3", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fe9e30d7-42cd-5bf4-8533-ffc6aa44e019", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818595Z", "creation_date": "2026-03-23T11:45:30.818597Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818602Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0c018eaa293c03febe2aef1e868fca782a06b49d7d2f9f388ae5fb57604c5250", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fea4556e-3811-5b05-8260-c70f7cc31eb0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.607935Z", "creation_date": "2026-03-23T11:45:29.607937Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.607950Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f9895458e73d4b0ef01eda347fb695bb00e6598d9f5e2506161b70ad96bb7298", "comment": "Micro-Star MSI Afterburner vulnerable driver (aka RTCore32.sys and RTCore64.sys) [CVE-2019-16098] [https://www.loldrivers.io/drivers/275c80c5-a67c-4536-b29e-4e481242cb01/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fea99ad8-0cd1-5ffa-a3bf-f3f17e104c60", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156758Z", "creation_date": "2026-03-23T11:45:31.156759Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156765Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4e5c7d0ca29d9f9420848aaa8d05ae59aa366a490c2b010e3e1becb3eb0ff3dc", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "feb1a439-8e4e-566c-a5ae-dac318aa0b1e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.140819Z", "creation_date": "2026-03-23T11:45:31.140821Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.140827Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d1bd9b485f6859a19552d9b01432be73b0bcde66aab8b9423c77d8817e930157", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "feb289df-0bb6-5b34-898a-cb71d54ab887", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.822372Z", "creation_date": "2026-03-23T11:45:30.822374Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.822379Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "8cc23f39380a590d822d9c064a064c274554d814b651ae4b2f0560d8b016f105", "comment": "Vulnerable Kernel Driver (aka ComputerZ.Sys) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "feb6edc4-0730-5325-919b-7be6539cc845", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612933Z", "creation_date": "2026-03-23T11:45:29.612935Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612940Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "615a7c647eba3f2dcea463d5705d5d59ca70b4250f895ad20ce6876076a8fa28", "comment": "Marvin Test Solutions HW vulnerable driver (aka Hw.sys and Hw64.sys) [https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "febb9889-8416-54ca-b5c9-9cc527864a05", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:32.145429Z", "creation_date": "2026-03-23T11:45:32.145433Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:32.145440Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "206006a11f233b9ae876952308f6d60d7a75c80b4d530a3e6146a0b4d8cd3e4f", "comment": "Malicious Kernel Driver (aka driver_206006a1.sys) [https://www.loldrivers.io/drivers/9e0a1bae-6509-41fd-a5bf-dfe6cf388682/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fec757b9-dee7-5ae6-9539-08938e7effc0", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.152899Z", "creation_date": "2026-03-23T11:45:31.152902Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.152910Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ae896bb9bea5396d46552a7b6980110b24751522e55228728d3e15c9760ec610", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fed9d6d0-0c43-5c67-924b-025236b34707", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.157493Z", "creation_date": "2026-03-23T11:45:31.157495Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.157501Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bb31600da026a2b53fed032d906928e27ff317829e8ad77cd20aa838cac05f62", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fedb3b3e-bbb1-5d14-8e94-dfffa6ade235", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.477141Z", "creation_date": "2026-03-23T11:45:30.477145Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.477153Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "033c4634ab1a43bc3247384864f3380401d3b4006a383312193799dded0de4c7", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fee9d4e6-b1eb-5d40-ae28-11e89a55cd2a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.478162Z", "creation_date": "2026-03-23T11:45:30.478166Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.478175Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "34d55c87feec5eeb4f826fc6301c22017cd3e83387529a06c5493c260597599b", "comment": "Vulnerable Kernel Driver (aka elbycdio.sys) [https://www.loldrivers.io/drivers/855ade1f-8a9e-4c9d-ab8e-d7e409609852/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "feefadfe-5f06-51fb-9061-0e337cb84d75", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.473009Z", "creation_date": "2026-03-23T11:45:30.473012Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.473021Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "922d23999a59ce0d84b479170fd265650bc7fae9e7d41bf550d8597f472a3832", "comment": "Vulnerable Kernel Driver (aka cpuz.sys) [https://www.loldrivers.io/drivers/0f59ce3b-20ac-41ba-8010-2abc74827eb8/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fefdfffa-a9ca-59b6-bc7f-f9fa6b500ab6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.819123Z", "creation_date": "2026-03-23T11:45:30.819125Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.819131Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "bb11fe81a2d2ca868398055e9f8cc7349ff4ac6d0a4f1e85e7e5d04ed7357349", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff189a6d-8933-5d47-bacc-5aad0fc2ce04", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.972319Z", "creation_date": "2026-03-23T11:45:29.972321Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.972326Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e7fe1fa6d2e5502ff1882a345790d0aab3ad34fe269ab23e3115d2d93db3fe6b", "comment": "Intel Ethernet diagnostics vulnerable driver (aka iQVW64.sys) [CVE-2015-2291] [https://www.loldrivers.io/drivers/1d2cdef1-de44-4849-80e5-e2fa288df681/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff1dba48-e4ae-5478-a65a-159da779a864", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.479473Z", "creation_date": "2026-03-23T11:45:31.479477Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.479487Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e960f161a76f0f805553471bc9d0eaa4b4dfa346ead37000892f2b7cc3e4872d", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff20271a-86dd-5bd7-8423-8b1792d7b359", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.984017Z", "creation_date": "2026-03-23T11:45:29.984019Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.984024Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "37e33b54de1bbe4cf86fa58aeec39084afb35e0cbe5f69c763ecaec1d352daa0", "comment": "Vulnerable Kernel Driver (aka msrhook.sys) [https://www.loldrivers.io/drivers/1a1cf88a-96d0-46cd-a24d-1535e4a5f6e3/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff21aca7-04e6-5115-b8d7-beed0a7c076d", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.499564Z", "creation_date": "2026-03-23T11:45:31.499567Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.499575Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "829250e3c5cecd882f57e1e64593b7aa3ed89a9919ffa9b85183dac4f1f9b873", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff24216c-1e4e-5239-b499-1c245ee8d2f8", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.816803Z", "creation_date": "2026-03-23T11:45:30.816805Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.816811Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "4b4ea21da21a1167c00b903c05a4e3af6c514ea3dfe0b5f371f6a06305e1d27f", "comment": "Vulnerable Kernel Driver (aka CP2X72C.SYS) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff30d18a-4dc2-54c7-9466-0dfa2ff07e2a", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.156310Z", "creation_date": "2026-03-23T11:45:31.156311Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.156317Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "9561b6d8c5328b01f05c7499624469085e1144f0d9f33568f3f1d438b70d06a3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff33279e-1617-5fd8-8baf-d64a7c5f936e", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.141768Z", "creation_date": "2026-03-23T11:45:31.141770Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.141775Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d6101de6d747a4d88af30797fff089e04996019fa7c0d3c1895b1f92dbcac95", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff3898a6-785a-59f8-8b8c-0f352b1297ce", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469303Z", "creation_date": "2026-03-23T11:45:30.469307Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469323Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "d6d56ffa4dcec362148ce6b3806773403cf7ca61f991e17f7286ee975a706f78", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff3adaaa-2d2c-5f46-924b-1a7f450d5a4b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.465681Z", "creation_date": "2026-03-23T11:45:30.465684Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.465693Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "82ac05fefaa8c7ee622d11d1a378f1d255b647ab2f3200fd323cc374818a83f2", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff4b48ce-f581-5db8-8e6d-1ef95c245b8b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.467355Z", "creation_date": "2026-03-23T11:45:30.467359Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.467368Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "714ac82a4e2b971f19df9c5cdcc7d7df52ac44ce1bfad675e50122406bed04a2", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff50e5fb-13b8-5020-8e94-0cfd02d550f3", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808811Z", "creation_date": "2026-03-23T11:45:31.808815Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808823Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b0dc31969cb6816b185b4e3bb3e96b8344be4a31826c5d9a0a65d8411ba7d898", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff54fa68-6bc5-5e95-87d7-64773a1a2b35", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.469747Z", "creation_date": "2026-03-23T11:45:30.469750Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.469759Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "29d6155c68ff372a475d6fe5bde64caa68794bb4164f7e1aae7da5b744f6e6d2", "comment": "Malicious Kernel Driver (aka mimidrv.sys) [https://www.loldrivers.io/drivers/87752fb8-e9f6-4235-91e2-c4343677d817/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff6da08d-5126-57d9-b960-7b403a6518de", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.818238Z", "creation_date": "2026-03-23T11:45:31.818241Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.818249Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c96999c48ea74f5631b192f4ce4e64a137e10be4e8d35d68e5199758c2a1dd7c", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff6e5dac-ebc3-5044-b75e-973cddfad7c4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.457187Z", "creation_date": "2026-03-23T11:45:30.457190Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.457199Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "89d96210bf36a88acb14086c96e916b790d21b7adf81d0907c823ca2afbe0ce3", "comment": "Vulnerable Kernel Driver (aka iobitunlocker.sys) [https://www.loldrivers.io/drivers/e368efc7-cf69-47ae-8204-f69dac000b22/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff6ebc2e-387d-59ab-86b6-94d9422242cf", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818648Z", "creation_date": "2026-03-23T11:45:30.818650Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818656Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f6e714528ad1b9eae72699078499735468140c1627e45f015762206ba7a77b47", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff849d11-b5d2-5733-92e5-ed5b5b4ae4db", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.810864Z", "creation_date": "2026-03-23T11:45:31.810866Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.810883Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "56bc9c2039028f56ed4735492b4dd06e9042a5c8b3abd87055ae6f3ae5ce1d8b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff8eef78-9470-58c7-b2a5-19886bed49e4", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.808613Z", "creation_date": "2026-03-23T11:45:31.808615Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.808620Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "97a17e66a5a57f9a605a12b28c1f9c19df376c6b1404403c3b7408c90835c4f9", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff91ea5b-d69a-5ce6-95ce-1dde42bd504f", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.612474Z", "creation_date": "2026-03-23T11:45:29.612476Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.612481Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "0ff8bcc7f938ec71ee33fbe089d38e40a8190603558d4765c47b1b09e1dd764a", "comment": "ASUS WinFlash vulnerable driver (aka ATSZIO.sys and ATSZIO64.sys) [https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff92cf25-74f6-53f9-810e-9e79c1b2d121", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.142682Z", "creation_date": "2026-03-23T11:45:31.142684Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.142690Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "1427fc96e7fc1ece542fa47154ce48504dd0b894289e3840037c4e5f94c587d4", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff93b0c8-1de4-50f4-913a-89cffcbbf120", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.615954Z", "creation_date": "2026-03-23T11:45:29.615956Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.615962Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "ee15f36881b84a2da82fee37e8ad65e47f1224e64d1d6fe43f7a5ad2efe92f5d", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff97cfe3-92c8-5380-bdab-4c038330e5ec", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.818842Z", "creation_date": "2026-03-23T11:45:30.818844Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.818850Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "fa4be68f1ea1e36aca95fd62b6727cf9d22886c2612391faeb9c56a1c62c2ec9", "comment": "Vulnerable Kernel Driver (aka kerneld.amd64) [https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff9b03e0-9bd2-5400-9c63-47c3f3ef8f19", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.492196Z", "creation_date": "2026-03-23T11:45:31.492198Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.492204Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a832a08b2b26733b0b4263f27457ca0b8ab9c7451eb082957ea54f5404dc6ac8", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ff9b7e8a-404e-56ea-adb3-b4e32c5d6c99", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.980918Z", "creation_date": "2026-03-23T11:45:29.980919Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.980925Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "b7bba82777c9912e6a728c3e873c5a8fd3546982e0d5fa88e64b3e2122f9bc3b", "comment": "Vulnerable Kernel Driver (aka BEDAISY.SYS) [https://www.loldrivers.io/drivers/db666d40-c9fa-4039-bfac-a5d7afd61b67/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ffa30052-3e61-5e4f-90c3-9f19529f6670", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.479811Z", "creation_date": "2026-03-23T11:45:30.479812Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.479818Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c2562e0101cb39906c73b96fc15a6e6e3edd710b19858f6bbd0c90f1561b6038", "comment": "Vulnerable Kernel Driver (aka capcom.sys) [https://www.loldrivers.io/drivers/b51c441a-12c7-407d-9517-559cc0030cf6/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ffa6b26f-4ad2-54b9-9195-4e207ad7783b", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.825664Z", "creation_date": "2026-03-23T11:45:31.825666Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.825671Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "cb80778406fd8002b361bbcba3b20a36c36994c3c3f0de80bf83f566cf5f897b", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ffab4dd8-97ec-58a1-8226-d235b0be3186", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.146259Z", "creation_date": "2026-03-23T11:45:31.146261Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.146267Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "f77cb6e917aa001b995d40e33368e33ac666b1ac0523cf7c8a1f86bb95948fb3", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ffc01bb1-7d0b-5e60-8d34-39cf0f99ecc5", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.611096Z", "creation_date": "2026-03-23T11:45:29.611098Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.611103Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3e423caaff9002b38e1d90005df181aa2b3711ebbf6d1eb83941656ccc313811", "comment": "CPUID CPU-Z vulnerable driver (aka cpuz143_x64.sys) [CVE-2017-15302] [https://www.loldrivers.io/drivers/de003542-80e1-4aa0-9b99-ed8647a93a6e/] [authentihash SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ffce4a39-7dcb-5f7d-8bc8-a767df6c5eda", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.460920Z", "creation_date": "2026-03-23T11:45:30.460923Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.460933Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "a6c05b10a5c090b743a61fa225b09e390e2dd2bd6cb4fd96b987f1e0d3f2124a", "comment": "Vulnerable Kernel Driver (aka RTCore64.sys) [https://www.loldrivers.io/drivers/e32bc3da-4db1-4858-a62c-6fbe4db6afbd/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ffe0b548-ab82-55ae-981e-2371fa2228b6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:29.614523Z", "creation_date": "2026-03-23T11:45:29.614525Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:29.614531Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "3d9e83b189fcf5c3541c62d1f54a0da0a4e5b62c3243d2989afc46644056c8e3", "comment": "MICRO-STAR vulnerable drivers (aka NBIOLib_X64.sys, NTIOLib_X64.sys, NTIOLib.sys and NBIOLib.sys) [CVE-2021-44899] [http://blog.rewolf.pl/blog/?p=1630] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "ffecf71a-e24b-5d1a-9ee6-20cec15f1657", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:31.490155Z", "creation_date": "2026-03-23T11:45:31.490157Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:31.490163Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "2580bdb0cc7653417276370992f103a0b1c8a38642eedd0feebd4c1f80aec21a", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fffac2a2-4dcb-550d-b78f-019c96dbeac6", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.836244Z", "creation_date": "2026-03-23T11:45:30.836246Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.836252Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "e0d154893940c8abe95477321fcc006636423d9584baa76007013eeb7de56881", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" } { "id": "fffb5883-28f0-5309-ae4d-701c30284f96", "test_maturity_current_count": 0, "test_maturity_delay": 7, "test_maturity_threshold": 10, "global_state": "quarantine", "effective_state": "quarantine", "rule_effective_level": "critical", "rule_effective_confidence": "moderate", "source_id": "af44d792-eb22-4e3f-88d2-9d1584001389", "rule_level_overridden": false, "last_modifier": { "id": 1, "username": "system_supervisor" }, "origin_stack_id": "b8e2fe4fc90e4d08", "last_update": "2026-03-23T11:45:30.832835Z", "creation_date": "2026-03-23T11:45:30.832838Z", "enabled": true, "block_on_agent": true, "quarantine_on_agent": true, "endpoint_detection": true, "hl_status": "stable", "hl_testing_start_time": "2026-03-23T11:45:30.832847Z", "rule_level": null, "rule_level_override": null, "rule_confidence": null, "rule_confidence_override": null, "references": [], "type": "hash", "value": "c2dd7461a636a4b507e5aff3cbe8c54545a9c497ca45299e4ba69e34866b37d1", "comment": "Vulnerable Adlice Software Truesight/RogueKiller (v2.0.2) AntiMalware Driver (aka truesight.sys) [https://research.checkpoint.com/2025/large-scale-exploitation-of-legacy-driver/] [file SHA256]", "source": "af44d792-eb22-4e3f-88d2-9d1584001389" }